mirror of
				https://github.com/dani-garcia/vaultwarden.git
				synced 2025-10-27 00:10:02 +02:00 
			
		
		
		
	Merge branch 'master' into icon-security
This commit is contained in:
		| @@ -283,6 +283,14 @@ fn get_page_with_cookies(url: &str, cookie_str: &str) -> Result<Response, Error> | ||||
|     if check_icon_domain_is_blacklisted(Url::parse(url).unwrap().host_str().unwrap_or_default()) { | ||||
|         err!("Favicon rel linked to a non blacklisted domain!"); | ||||
|     } | ||||
|  | ||||
|     if cookie_str.is_empty() { | ||||
|         CLIENT | ||||
|             .get(url) | ||||
|             .send()? | ||||
|             .error_for_status() | ||||
|             .map_err(Into::into) | ||||
|     } else { | ||||
|         CLIENT | ||||
|             .get(url) | ||||
|             .header("cookie", cookie_str) | ||||
| @@ -290,6 +298,7 @@ fn get_page_with_cookies(url: &str, cookie_str: &str) -> Result<Response, Error> | ||||
|             .error_for_status() | ||||
|             .map_err(Into::into) | ||||
|     } | ||||
| } | ||||
|  | ||||
| /// Returns a Integer with the priority of the type of the icon which to prefer. | ||||
| /// The lower the number the better. | ||||
|   | ||||
							
								
								
									
										19
									
								
								src/util.rs
									
									
									
									
									
								
							
							
						
						
									
										19
									
								
								src/util.rs
									
									
									
									
									
								
							| @@ -42,6 +42,13 @@ impl CORS { | ||||
|             _ => "".to_string(), | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     fn valid_url(url: String) -> String { | ||||
|         match url.as_ref() { | ||||
|             "file://" => "*".to_string(), | ||||
|             _ => url, | ||||
|         } | ||||
|     } | ||||
| } | ||||
|  | ||||
| impl Fairing for CORS { | ||||
| @@ -56,21 +63,17 @@ impl Fairing for CORS { | ||||
|         let req_headers = request.headers(); | ||||
|  | ||||
|         // We need to explicitly get the Origin header for Access-Control-Allow-Origin | ||||
|         let req_allow_origin = CORS::get_header(&req_headers, "Origin"); | ||||
|         let req_allow_origin = CORS::valid_url(CORS::get_header(&req_headers, "Origin")); | ||||
|  | ||||
|         response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin)); | ||||
|  | ||||
|         if request.method() == Method::Options { | ||||
|             let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers"); | ||||
|  | ||||
|             let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method"); | ||||
|  | ||||
|         if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) { | ||||
|             // Requests with credentials need explicit values since they do not allow wildcards. | ||||
|             response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin)); | ||||
|             response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_method)); | ||||
|             response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers)); | ||||
|             response.set_header(Header::new("Access-Control-Allow-Credentials", "true")); | ||||
|         } | ||||
|  | ||||
|         if request.method() == Method::Options { | ||||
|             response.set_status(Status::Ok); | ||||
|             response.set_header(ContentType::Plain); | ||||
|             response.set_sized_body(Cursor::new("")); | ||||
|   | ||||
		Reference in New Issue
	
	Block a user