Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
10
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Open sidebar
dms3
go-dms3-cmds
Commits
b00bc407
Commit
b00bc407
authored
Apr 06, 2020
by
Hector Sanjuan
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
http: block all ^Mozilla user agents without Origin nor Referer
parent
cd51b41f
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
17 additions
and
32 deletions
+17
-32
http/config.go
http/config.go
+9
-27
http/errors_test.go
http/errors_test.go
+8
-5
No files found.
http/config.go
View file @
b00bc407
...
...
@@ -15,19 +15,6 @@ const (
ACACredentials
=
"Access-Control-Allow-Credentials"
)
// disallowedUserAgents specifies a denylist of user agents that are not
// allowed to perform POST requests if they are not providing Origin
// and/or Referer headers. As mitigation for things like
// https://bugzilla.mozilla.org/show_bug.cgi?id=429594. Defaults to
// Firefox-related things. The matching against the user-agent string
// is made with strings.Contains().
var
disallowedUserAgents
=
[]
string
{
"Firefox"
,
"Focus"
,
"Klar"
,
"FxiOS"
,
}
type
ServerConfig
struct
{
// APIPath is the prefix of all request paths.
// Example: host:port/api/v0/add. Here the APIPath is /api/v0
...
...
@@ -44,14 +31,6 @@ type ServerConfig struct {
// websites to include resources from the API but not _read_ them.
AllowGet
bool
// DisallowUserAgents specifies a blacklist of user agents that are not
// allowed to perform POST requests if they are not providing Origin
// and/or Referer headers. As mitigation for things like
// https://bugzilla.mozilla.org/show_bug.cgi?id=429594.
// Defaults to ["Firefox"]. The matching against the user-agent
// string is made with strings.Contains().
DisallowUserAgents
[]
string
// corsOpts is a set of options for CORS headers.
corsOpts
*
cors
.
Options
...
...
@@ -191,12 +170,15 @@ func allowUserAgent(r *http.Request, cfg *ServerConfig) bool {
return
true
}
//
If not, check that request is not from a blacklisted UA.
//
Allow if the user agent does not start with Mozilla... (i.e. curl)
ua
:=
r
.
Header
.
Get
(
"User-agent"
)
for
_
,
forbiddenUA
:=
range
disallowedUserAgents
{
if
strings
.
Contains
(
ua
,
forbiddenUA
)
{
return
false
}
if
!
strings
.
HasPrefix
(
ua
,
"Mozilla"
)
{
return
true
}
return
true
// Disallow otherwise.
//
// This means the request probably came from a browser and thus, it
// should have included Origin or referer headers.
return
false
}
http/errors_test.go
View file @
b00bc407
...
...
@@ -174,7 +174,7 @@ func TestUnhandledMethod(t *testing.T) {
func
TestDisallowedUserAgents
(
t
*
testing
.
T
)
{
tcs
:=
[]
httpTestCase
{
{
// Block
Firefox
// Block
Mozilla* browsers that do not provide origins.
Method
:
"POST"
,
AllowGet
:
false
,
Code
:
http
.
StatusForbidden
,
...
...
@@ -192,10 +192,13 @@ func TestDisallowedUserAgents(t *testing.T) {
},
},
{
// Do not block Chrome
Method
:
"POST"
,
AllowGet
:
false
,
Code
:
http
.
StatusOK
,
// Do not block a Mozilla* browser that provides an
// allowed Origin
Method
:
"POST"
,
AllowGet
:
false
,
AllowOrigins
:
[]
string
{
"*"
},
Origin
:
"null"
,
Code
:
http
.
StatusOK
,
ReqHeaders
:
map
[
string
]
string
{
"User-Agent"
:
"Mozilla/5.0 (Linux; U; Android 4.1.1; en-gb; Build/KLP) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30"
,
},
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment