01_FHEMWEB.pm: fix security problem with OPTIONS (reported by Adrian)

git-svn-id: https://svn.fhem.de/fhem/trunk@13118 2b470e98-0d58-463d-a4d8-8e2adae1ed80

fhem/FHEM/01_FHEMWEB.pm

@@ -418,6 +418,18 @@ FW_Read($$)
               "Access-Control-Allow-Credentials: true\r\n".
               "Access-Control-Max-Age:86400\r\n" : "");
 
+  #############################
+  # Handle OPTIONS Request. Just reeturn headers and don't process any further.
+  my ($method, $arg, $httpvers) = split(" ", $FW_httpheader[0], 3);
+  if($method !~ m/^(GET|POST)$/i){
+    TcpServer_WriteBlocking($FW_chash,
+      "HTTP/1.1 200 OK\r\n" .
+      $FW_headerlines.
+      "Content-Length: 0\r\n\r\n");
+    delete $hash->{CONTENT_LENGTH};
+    FW_Read($hash, 1) if($hash->{BUF});
+    return;
+  }
 
   #############################
   # AUTH
@@ -450,7 +462,6 @@ FW_Read($$)
   #############################
 
   my $now = time();
-  my ($method, $arg, $httpvers) = split(" ", $FW_httpheader[0], 3);
   $arg .= "&".$POSTdata if($POSTdata);
   delete $hash->{CONTENT_LENGTH};
   $hash->{LASTACCESS} = $now;

fhem/FHEM/96_allowed.pm

@@ -93,8 +93,6 @@ allowed_Authenticate($$$$)
     delete $cl->{".httpAuthHeader"};
     return 0 if(!$basicAuth);
 
-    return 1 if($FW_httpheader[0] =~ m/^OPTIONS /); #Forum #51362
-
     my $FW_httpheader = $param;
     my $secret = $FW_httpheader->{Authorization};
     $secret =~ s/^Basic //i if($secret);