rc: Added command line parameter to control the cross origin resource sharing (CORS) in the rcd. (Security Improvement)

rc: Import statements


Fixing the problem with test
This commit is contained in:
Chaitanya 2019-08-08 10:26:58 +05:30 committed by Nick Craig-Wood
parent 5195075677
commit 33677ff367
4 changed files with 23 additions and 14 deletions

View File

@ -17,14 +17,15 @@ import (
// Options contains options for the remote control server
type Options struct {
HTTPOptions httplib.Options
Enabled bool // set to enable the server
Serve bool // set to serve files from remotes
Files string // set to enable serving files locally
NoAuth bool // set to disable auth checks on AuthRequired methods
WebUI bool // set to launch the web ui
WebGUIUpdate bool // set to download new update
WebGUIFetchURL string // set the default url for fetching webgui
HTTPOptions httplib.Options
Enabled bool // set to enable the server
Serve bool // set to serve files from remotes
Files string // set to enable serving files locally
NoAuth bool // set to disable auth checks on AuthRequired methods
WebUI bool // set to launch the web ui
WebGUIUpdate bool // set to download new update
WebGUIFetchURL string // set the default url for fetching webgui
AccessControlAllowOrigin string // set the access control for CORS configuration
}

View File

@ -23,5 +23,6 @@ func AddFlags(flagSet *pflag.FlagSet) {
flags.BoolVarP(flagSet, &Opt.WebUI, "rc-web-gui", "", false, "Launch WebGUI on localhost")
flags.BoolVarP(flagSet, &Opt.WebGUIUpdate, "rc-web-gui-update", "", false, "Update / Force update to latest version of web gui")
flags.StringVarP(flagSet, &Opt.WebGUIFetchURL, "rc-web-fetch-url", "", "https://api.github.com/repos/rclone/rclone-webui-react/releases/latest", "URL to fetch the releases for webgui.")
flags.StringVarP(flagSet, &Opt.AccessControlAllowOrigin, "rc-allow-origin", "", "", "Set the allowed origin for CORS.")
httpflags.AddFlagsPrefix(flagSet, "rc-", &Opt.HTTPOptions)
}

View File

@ -13,10 +13,6 @@ import (
"sort"
"strings"
"github.com/skratchdot/open-golang/open"
"github.com/rclone/rclone/fs/rc/jobs"
"github.com/pkg/errors"
"github.com/rclone/rclone/cmd/serve/httplib"
"github.com/rclone/rclone/cmd/serve/httplib/serve"
@ -25,6 +21,9 @@ import (
"github.com/rclone/rclone/fs/config"
"github.com/rclone/rclone/fs/list"
"github.com/rclone/rclone/fs/rc"
"github.com/rclone/rclone/fs/rc/jobs"
"github.com/rclone/rclone/fs/rc/rcflags"
"github.com/skratchdot/open-golang/open"
)
// Start the remote control server if configured
@ -130,7 +129,15 @@ func writeError(path string, in rc.Params, w http.ResponseWriter, err error, sta
func (s *Server) handler(w http.ResponseWriter, r *http.Request) {
path := strings.TrimLeft(r.URL.Path, "/")
w.Header().Add("Access-Control-Allow-Origin", "*")
allowOrigin := rcflags.Opt.AccessControlAllowOrigin
if allowOrigin != "" {
if allowOrigin == "*" {
fs.Logf(nil, "Warning: Allow origin set to *. This can cause serious security problems.")
}
w.Header().Add("Access-Control-Allow-Origin", allowOrigin)
} else {
w.Header().Add("Access-Control-Allow-Origin", s.URL())
}
// echo back access control headers client needs
//reqAccessHeaders := r.Header.Get("Access-Control-Request-Headers")

View File

@ -458,7 +458,7 @@ func TestMethods(t *testing.T) {
Status: http.StatusOK,
Expected: "",
Headers: map[string]string{
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Origin": "http://localhost:5572/",
"Access-Control-Request-Method": "POST, OPTIONS, GET, HEAD",
"Access-Control-Allow-Headers": "authorization, Content-Type",
},