diff mbox series

[uhttpd,RFC] ubus: support setting custom CORS origin URL

Message ID 20200923072813.31877-1-zajec5@gmail.com
State RFC
Headers show
Series [uhttpd,RFC] ubus: support setting custom CORS origin URL | expand

Commit Message

Rafał Miłecki Sept. 23, 2020, 7:28 a.m. UTC
From: Rafał Miłecki <rafal@milecki.pl>

By default uhttpd replies with Access-Control-Allow-Origin containing
URL from the request Origin header. It allows sending CORS requests from
any website allowing attacks.

Add support for -o option that allows specifying a single URL to be put
in the Access-Control-Allow-Origin.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
---
I use this patch with addition of a single init.d script line:
append_arg "$cfg" ubus_origin "-o"

Does anyone find it useful?
---
 main.c   | 7 ++++++-
 ubus.c   | 2 +-
 uhttpd.h | 1 +
 3 files changed, 8 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/main.c b/main.c
index 73e3d42..c5f2fe4 100644
--- a/main.c
+++ b/main.c
@@ -263,7 +263,7 @@  int main(int argc, char **argv)
 	init_defaults_pre();
 	signal(SIGPIPE, SIG_IGN);
 
-	while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:e:fh:H:I:i:K:k:L:l:m:N:n:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
+	while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:e:fh:H:I:i:K:k:L:l:m:N:n:o:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
 		switch(ch) {
 #ifdef HAVE_TLS
 		case 'C':
@@ -492,6 +492,10 @@  int main(int argc, char **argv)
 			conf.ubus_cors = 1;
 			break;
 
+		case 'o':
+			conf.ubus_origin = optarg;
+			break;
+
 		case 'e':
 			conf.events_retry = atoi(optarg);
 			break;
@@ -500,6 +504,7 @@  int main(int argc, char **argv)
 		case 'u':
 		case 'U':
 		case 'X':
+		case 'o':
 		case 'e':
 			fprintf(stderr, "uhttpd: UBUS support not compiled, "
 			                "ignoring -%c\n", ch);
diff --git a/ubus.c b/ubus.c
index 39b38b2..27c1c95 100644
--- a/ubus.c
+++ b/ubus.c
@@ -169,7 +169,7 @@  static void uh_ubus_add_cors_headers(struct client *cl)
 	}
 
 	ustream_printf(cl->us, "Access-Control-Allow-Origin: %s\r\n",
-	               blobmsg_get_string(tb[HDR_ORIGIN]));
+	               conf.ubus_origin ? conf.ubus_origin : blobmsg_get_string(tb[HDR_ORIGIN]));
 
 	if (tb[HDR_ACCESS_CONTROL_REQUEST_HEADERS])
 		ustream_printf(cl->us, "Access-Control-Allow-Headers: %s\r\n",
diff --git a/uhttpd.h b/uhttpd.h
index e61e176..f924c77 100644
--- a/uhttpd.h
+++ b/uhttpd.h
@@ -81,6 +81,7 @@  struct config {
 	int script_timeout;
 	int ubus_noauth;
 	int ubus_cors;
+	const char *ubus_origin;
 	int cgi_prefix_len;
 	int events_retry;
 	struct list_head cgi_alias;