[PATCH uhttpd RFC] ubus: support setting custom CORS origin URL

Rafał Miłecki zajec5 at gmail.com
Wed Sep 23 03:28:13 EDT 2020 

From: Rafał Miłecki <rafal at milecki.pl>

By default uhttpd replies with Access-Control-Allow-Origin containing
URL from the request Origin header. It allows sending CORS requests from
any website allowing attacks.

Add support for -o option that allows specifying a single URL to be put
in the Access-Control-Allow-Origin.

Signed-off-by: Rafał Miłecki <rafal at milecki.pl>
---
I use this patch with addition of a single init.d script line:
append_arg "$cfg" ubus_origin "-o"

Does anyone find it useful?
---
 main.c   | 7 ++++++-
 ubus.c   | 2 +-
 uhttpd.h | 1 +
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/main.c b/main.c
index 73e3d42..c5f2fe4 100644
--- a/main.c
+++ b/main.c
@@ -263,7 +263,7 @@ int main(int argc, char **argv)
 	init_defaults_pre();
 	signal(SIGPIPE, SIG_IGN);
 
-	while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:e:fh:H:I:i:K:k:L:l:m:N:n:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
+	while ((ch = getopt(argc, argv, "A:aC:c:Dd:E:e:fh:H:I:i:K:k:L:l:m:N:n:o:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
 		switch(ch) {
 #ifdef HAVE_TLS
 		case 'C':
@@ -492,6 +492,10 @@ int main(int argc, char **argv)
 			conf.ubus_cors = 1;
 			break;
 
+		case 'o':
+			conf.ubus_origin = optarg;
+			break;
+
 		case 'e':
 			conf.events_retry = atoi(optarg);
 			break;
@@ -500,6 +504,7 @@ int main(int argc, char **argv)
 		case 'u':
 		case 'U':
 		case 'X':
+		case 'o':
 		case 'e':
 			fprintf(stderr, "uhttpd: UBUS support not compiled, "
 			                "ignoring -%c\n", ch);
diff --git a/ubus.c b/ubus.c
index 39b38b2..27c1c95 100644
--- a/ubus.c
+++ b/ubus.c
@@ -169,7 +169,7 @@ static void uh_ubus_add_cors_headers(struct client *cl)
 	}
 
 	ustream_printf(cl->us, "Access-Control-Allow-Origin: %s\r\n",
-	               blobmsg_get_string(tb[HDR_ORIGIN]));
+	               conf.ubus_origin ? conf.ubus_origin : blobmsg_get_string(tb[HDR_ORIGIN]));
 
 	if (tb[HDR_ACCESS_CONTROL_REQUEST_HEADERS])
 		ustream_printf(cl->us, "Access-Control-Allow-Headers: %s\r\n",
diff --git a/uhttpd.h b/uhttpd.h
index e61e176..f924c77 100644
--- a/uhttpd.h
+++ b/uhttpd.h
@@ -81,6 +81,7 @@ struct config {
 	int script_timeout;
 	int ubus_noauth;
 	int ubus_cors;
+	const char *ubus_origin;
 	int cgi_prefix_len;
 	int events_retry;
 	struct list_head cgi_alias;
-- 
2.27.0

More information about the openwrt-devel mailing list