Merge branch 'master' into icon-security

2019-10-05 16:45:36 +02:00 · 2019-10-05 16:45:36 +02:00 · e6b763026e
Commit e6b763026e
--- a/src/api/icons.rs
+++ b/src/api/icons.rs
@ -283,12 +283,21 @@ fn get_page_with_cookies(url: &str, cookie_str: &str) -> Result<Response, Error>
    if check_icon_domain_is_blacklisted(Url::parse(url).unwrap().host_str().unwrap_or_default()) {
        err!("Favicon rel linked to a non blacklisted domain!");
    }
-    CLIENT
-        .get(url)
-        .header("cookie", cookie_str)
-        .send()?
-        .error_for_status()
-        .map_err(Into::into)
+
+    if cookie_str.is_empty() {
+        CLIENT
+            .get(url)
+            .send()?
+            .error_for_status()
+            .map_err(Into::into)
+    } else {
+        CLIENT
+            .get(url)
+            .header("cookie", cookie_str)
+            .send()?
+            .error_for_status()
+            .map_err(Into::into)
+    }
 }

 /// Returns a Integer with the priority of the type of the icon which to prefer.
--- a/src/util.rs
+++ b/src/util.rs
@ -42,6 +42,13 @@ impl CORS {
            _ => "".to_string(),
        }
    }
+
+    fn valid_url(url: String) -> String {
+        match url.as_ref() {
+            "file://" => "*".to_string(),
+            _ => url,
+        }
+    }
 }

 impl Fairing for CORS {
@ -56,21 +63,17 @@ impl Fairing for CORS {
        let req_headers = request.headers();

        // We need to explicitly get the Origin header for Access-Control-Allow-Origin
-        let req_allow_origin = CORS::get_header(&req_headers, "Origin");
+        let req_allow_origin = CORS::valid_url(CORS::get_header(&req_headers, "Origin"));

-        let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers");
+        response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin));

-        let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method");
+        if request.method() == Method::Options {
+            let req_allow_headers = CORS::get_header(&req_headers, "Access-Control-Request-Headers");
+            let req_allow_method = CORS::get_header(&req_headers,"Access-Control-Request-Method");

-        if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) {
-            // Requests with credentials need explicit values since they do not allow wildcards.
-            response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin));
            response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_method));
            response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers));
            response.set_header(Header::new("Access-Control-Allow-Credentials", "true"));
-        }
-
-        if request.method() == Method::Options {
            response.set_status(Status::Ok);
            response.set_header(ContentType::Plain);
            response.set_sized_body(Cursor::new(""));