add allowed_origin to config

-raise 403 error if a request doesn't have a matching origin
This commit is contained in:
Jack Robison 2020-05-25 10:02:13 -04:00 committed by Lex Berezhny
parent f975ea99cb
commit 08d37a4b0f
2 changed files with 6 additions and 0 deletions

View file

@ -625,6 +625,7 @@ class Config(CLIConfig):
previous_names=['upload_log', 'upload_log', 'share_debug_info']
)
track_bandwidth = Toggle("Track bandwidth usage", True)
allowed_origin = String("Allowed origin header for api calls, use * to allow all", 'null')
# media server
streaming_server = String('Host name and port to serve streaming media over range requests',

View file

@ -566,6 +566,11 @@ class Daemon(metaclass=JSONRPCServerType):
log.info("finished shutting down")
async def handle_old_jsonrpc(self, request):
origin = request.headers.get('Origin', 'null')
origin = None if origin == 'null' else origin
if origin != self.conf.allowed_origin != '*':
log.warning("API request from origin '%s' is not allowed", origin)
raise web.HTTPForbidden()
data = await request.json()
params = data.get('params', {})
include_protobuf = params.pop('include_protobuf', False) if isinstance(params, dict) else False