mirror of
https://github.com/ArchiveBox/ArchiveBox
synced 2024-11-25 13:40:20 +00:00
improve CSRF_TRUSTED_ORIGINS loading logic
This commit is contained in:
parent
c6a80ab256
commit
34389e5e7c
2 changed files with 8 additions and 5 deletions
|
@ -97,7 +97,7 @@ CONFIG_SCHEMA: Dict[str, ConfigDefaultDict] = {
|
||||||
'SECRET_KEY': {'type': str, 'default': None},
|
'SECRET_KEY': {'type': str, 'default': None},
|
||||||
'BIND_ADDR': {'type': str, 'default': lambda c: ['127.0.0.1:8000', '0.0.0.0:8000'][c['IN_DOCKER']]},
|
'BIND_ADDR': {'type': str, 'default': lambda c: ['127.0.0.1:8000', '0.0.0.0:8000'][c['IN_DOCKER']]},
|
||||||
'ALLOWED_HOSTS': {'type': str, 'default': '*'}, # e.g. archivebox.example.com,archivebox2.example.com
|
'ALLOWED_HOSTS': {'type': str, 'default': '*'}, # e.g. archivebox.example.com,archivebox2.example.com
|
||||||
'CSRF_TRUSTED_ORIGINS': {'type': str, 'default': ''}, # e.g. https://archivebox.example.com,https://archivebox2.example.com:8080
|
'CSRF_TRUSTED_ORIGINS': {'type': str, 'default': lambda c: 'http://localhost:8000,http://127.0.0.1:8000,http://0.0.0.0:8000,http://{}'.format(c['BIND_ADDR'])}, # e.g. https://archivebox.example.com,https://archivebox2.example.com:8080
|
||||||
'DEBUG': {'type': bool, 'default': False},
|
'DEBUG': {'type': bool, 'default': False},
|
||||||
'PUBLIC_INDEX': {'type': bool, 'default': True},
|
'PUBLIC_INDEX': {'type': bool, 'default': True},
|
||||||
'PUBLIC_SNAPSHOTS': {'type': bool, 'default': True},
|
'PUBLIC_SNAPSHOTS': {'type': bool, 'default': True},
|
||||||
|
|
|
@ -5,6 +5,7 @@ import sys
|
||||||
import re
|
import re
|
||||||
import logging
|
import logging
|
||||||
import tempfile
|
import tempfile
|
||||||
|
from typing import Any, Dict
|
||||||
|
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
from django.utils.crypto import get_random_string
|
from django.utils.crypto import get_random_string
|
||||||
|
@ -317,13 +318,15 @@ STORAGES = {
|
||||||
SECRET_KEY = CONFIG.SECRET_KEY or get_random_string(50, 'abcdefghijklmnopqrstuvwxyz0123456789_')
|
SECRET_KEY = CONFIG.SECRET_KEY or get_random_string(50, 'abcdefghijklmnopqrstuvwxyz0123456789_')
|
||||||
|
|
||||||
ALLOWED_HOSTS = CONFIG.ALLOWED_HOSTS.split(',')
|
ALLOWED_HOSTS = CONFIG.ALLOWED_HOSTS.split(',')
|
||||||
CSRF_TRUSTED_ORIGINS = CONFIG.CSRF_TRUSTED_ORIGINS.split(',')
|
CSRF_TRUSTED_ORIGINS = list(set(CONFIG.CSRF_TRUSTED_ORIGINS.split(',')))
|
||||||
|
|
||||||
# automatically fix case when user sets ALLOWED_HOSTS (e.g. to archivebox.example.com)
|
# automatically fix case when user sets ALLOWED_HOSTS (e.g. to archivebox.example.com)
|
||||||
# but forgets to add https://archivebox.example.com to CSRF_TRUSTED_ORIGINS
|
# but forgets to add https://archivebox.example.com to CSRF_TRUSTED_ORIGINS
|
||||||
if CONFIG.ALLOWED_HOSTS != '*' and (not CSRF_TRUSTED_ORIGINS):
|
for hostname in ALLOWED_HOSTS:
|
||||||
for hostname in ALLOWED_HOSTS:
|
https_endpoint = f'https://{hostname}'
|
||||||
CSRF_TRUSTED_ORIGINS.append(f'https://{hostname}')
|
if hostname != '*' and https_endpoint not in CSRF_TRUSTED_ORIGINS:
|
||||||
|
print(f'[!] WARNING: {https_endpoint} from ALLOWED_HOSTS should be added to CSRF_TRUSTED_ORIGINS')
|
||||||
|
CSRF_TRUSTED_ORIGINS.append(https_endpoint)
|
||||||
|
|
||||||
SECURE_BROWSER_XSS_FILTER = True
|
SECURE_BROWSER_XSS_FILTER = True
|
||||||
SECURE_CONTENT_TYPE_NOSNIFF = True
|
SECURE_CONTENT_TYPE_NOSNIFF = True
|
||||||
|
|
Loading…
Reference in a new issue