MyFavMirrors/moonfire-nvr
1
0
Fork 0
mirror of https://github.com/scottlamb/moonfire-nvr.git synced 2025-01-27 06:33:20 -05:00
Code Issues Packages Projects Releases Wiki Activity

extract_cookie should check all Cookie headers

Browse Source
This commit is contained in:
Scott Lamb 2021-10-28 15:07:24 -07:00
parent 1e17a53280
commit a7c574eb43
1 changed files with 25 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
server/src/web/mod.rs
View File

@ -114,18 +114,16 @@ fn csrf_matches(csrf: &str, session: auth::SessionHash) -> bool {
/// Extracts `s` cookie from the HTTP request. Does not authenticate. /// Extracts `s` cookie from the HTTP request. Does not authenticate.
fn extract_sid(req: &Request<hyper::Body>) -> Option<auth::RawSessionId> { fn extract_sid(req: &Request<hyper::Body>) -> Option<auth::RawSessionId> {
let hdr = match req.headers().get(header::COOKIE) { for hdr in req.headers().get_all(header::COOKIE) {
None => return None, for mut cookie in hdr.as_bytes().split(|&b| b == b';') {
Some(c) => c, if cookie.starts_with(b" ") {
}; cookie = &cookie[1..];
for mut cookie in hdr.as_bytes().split(|&b| b == b';') { }
if cookie.starts_with(b" ") { if cookie.starts_with(b"s=") {
cookie = &cookie[1..]; let s = &cookie[2..];
} if let Ok(s) = auth::RawSessionId::decode_base64(s) {
if cookie.starts_with(b"s=") { return Some(s);
let s = &cookie[2..]; }
if let Ok(s) = auth::RawSessionId::decode_base64(s) {
return Some(s);
} }
} }
} }
@ -617,6 +615,7 @@ impl Service {
mod tests { mod tests {
use db::testutil::{self, TestDb}; use db::testutil::{self, TestDb};
use futures::future::FutureExt; use futures::future::FutureExt;
use http::{header, Request};
use std::sync::Arc; use std::sync::Arc;
pub(super) struct Server { pub(super) struct Server {
@ -697,6 +696,20 @@ mod tests {
.unwrap(); .unwrap();
assert_eq!(resp.status(), reqwest::StatusCode::UNAUTHORIZED); assert_eq!(resp.status(), reqwest::StatusCode::UNAUTHORIZED);
} }
#[test]
fn test_extract_sid() {
let req = Request::builder()
.header(header::COOKIE, "foo=asdf; bar=asdf")
.header(
header::COOKIE,
"s=OsL6Cg4ikLw6UIXOT28tI+vPez3qWACovI+nLHWyjsW1ERX83qRrOR3guKedc8IP",
)
.body(hyper::Body::empty())
.unwrap();
let sid = super::extract_sid(&req).unwrap();
assert_eq!(sid.as_ref(), &b":\xc2\xfa\n\x0e\"\x90\xbc:P\x85\xceOo-#\xeb\xcf{=\xeaX\x00\xa8\xbc\x8f\xa7,u\xb2\x8e\xc5\xb5\x11\x15\xfc\xde\xa4k9\x1d\xe0\xb8\xa7\x9ds\xc2\x0f"[..]);
}
} }
#[cfg(all(test, feature = "nightly"))] #[cfg(all(test, feature = "nightly"))]