FHEM/fhem-mirror
2
0
Fork 0
mirror of https://github.com/fhem/fhem-mirror.git synced 2025-01-31 18:59:33 +00:00
Code Issues Releases Wiki Activity

01_FHEMWEB.pm: fix security problem with OPTIONS (reported by Adrian)

Browse Source 
git-svn-id: https://svn.fhem.de/fhem/trunk@13118 2b470e98-0d58-463d-a4d8-8e2adae1ed80
This commit is contained in:
rudolfkoenig 2017-01-17 09:28:44 +00:00
parent 59b6a79a33
commit bb214da567
2 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
fhem/FHEM/01_FHEMWEB.pm
View File

@ -418,6 +418,18 @@ FW_Read($$)
"Access-Control-Allow-Credentials: true\r\n".
"Access-Control-Max-Age:86400\r\n" : "");
#############################
# Handle OPTIONS Request. Just reeturn headers and don't process any further.
my ($method, $arg, $httpvers) = split(" ", $FW_httpheader[0], 3);
if($method !~ m/^(GET|POST)$/i){
TcpServer_WriteBlocking($FW_chash,
"HTTP/1.1 200 OK\r\n" .
$FW_headerlines.
"Content-Length: 0\r\n\r\n");
delete $hash->{CONTENT_LENGTH};
FW_Read($hash, 1) if($hash->{BUF});
return;
}
#############################
# AUTH
@ -450,7 +462,6 @@ FW_Read($$)
#############################
my $now = time();
my ($method, $arg, $httpvers) = split(" ", $FW_httpheader[0], 3);
$arg .= "&".$POSTdata if($POSTdata);
delete $hash->{CONTENT_LENGTH};
$hash->{LASTACCESS} = $now;

2
fhem/FHEM/96_allowed.pm
View File

@ -93,8 +93,6 @@ allowed_Authenticate($$$$)
delete $cl->{".httpAuthHeader"};
return 0 if(!$basicAuth);
return 1 if($FW_httpheader[0] =~ m/^OPTIONS /); #Forum #51362
my $FW_httpheader = $param;
my $secret = $FW_httpheader->{Authorization};
$secret =~ s/^Basic //i if($secret);