[PATCH uhttpd RFC] ubus: support setting custom CORS origin URL

Wed, 23 Sep 2020 00:35:11 -0700 

From: Rafał Miłecki <ra...@milecki.pl>

By default uhttpd replies with Access-Control-Allow-Origin containing
URL from the request Origin header. It allows sending CORS requests from
any website allowing attacks.

Add support for -o option that allows specifying a single URL to be put
in the Access-Control-Allow-Origin.

Signed-off-by: Rafał Miłecki <ra...@milecki.pl>
---
I use this patch with addition of a single init.d script line:
append_arg "$cfg" ubus_origin "-o"

Does anyone find it useful?
---
 main.c   | 7 ++++++-
 ubus.c   | 2 +-
 uhttpd.h | 1 +
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/main.c b/main.c
index 73e3d42..c5f2fe4 100644
--- a/main.c
+++ b/main.c
@@ -263,7 +263,7 @@ int main(int argc, char **argv)
        init_defaults_pre();
        signal(SIGPIPE, SIG_IGN);
 
-       while ((ch = getopt(argc, argv, 
"A:aC:c:Dd:E:e:fh:H:I:i:K:k:L:l:m:N:n:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
+       while ((ch = getopt(argc, argv, 
"A:aC:c:Dd:E:e:fh:H:I:i:K:k:L:l:m:N:n:o:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
                switch(ch) {
 #ifdef HAVE_TLS
                case 'C':
@@ -492,6 +492,10 @@ int main(int argc, char **argv)
                        conf.ubus_cors = 1;
                        break;
 
+               case 'o':
+                       conf.ubus_origin = optarg;
+                       break;
+
                case 'e':
                        conf.events_retry = atoi(optarg);
                        break;
@@ -500,6 +504,7 @@ int main(int argc, char **argv)
                case 'u':
                case 'U':
                case 'X':
+               case 'o':
                case 'e':
                        fprintf(stderr, "uhttpd: UBUS support not compiled, "
                                        "ignoring -%c\n", ch);
diff --git a/ubus.c b/ubus.c
index 39b38b2..27c1c95 100644
--- a/ubus.c
+++ b/ubus.c
@@ -169,7 +169,7 @@ static void uh_ubus_add_cors_headers(struct client *cl)
        }
 
        ustream_printf(cl->us, "Access-Control-Allow-Origin: %s\r\n",
-                      blobmsg_get_string(tb[HDR_ORIGIN]));
+                      conf.ubus_origin ? conf.ubus_origin : 
blobmsg_get_string(tb[HDR_ORIGIN]));
 
        if (tb[HDR_ACCESS_CONTROL_REQUEST_HEADERS])
                ustream_printf(cl->us, "Access-Control-Allow-Headers: %s\r\n",
diff --git a/uhttpd.h b/uhttpd.h
index e61e176..f924c77 100644
--- a/uhttpd.h
+++ b/uhttpd.h
@@ -81,6 +81,7 @@ struct config {
        int script_timeout;
        int ubus_noauth;
        int ubus_cors;
+       const char *ubus_origin;
        int cgi_prefix_len;
        int events_retry;
        struct list_head cgi_alias;
-- 
2.27.0


_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to