From 3a77659670efb598a3ea3157f785a1ee585e1057 Mon Sep 17 00:00:00 2001 From: Daniel Date: Thu, 20 Jan 2022 09:02:47 +0100 Subject: [PATCH 1/2] Use request.Host instead of the header's Host --- api/router.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/api/router.go b/api/router.go index 69eb7c4..b197634 100644 --- a/api/router.go +++ b/api/router.go @@ -113,16 +113,16 @@ func (mh *mainHandler) handle(w http.ResponseWriter, r *http.Request) error { // Parse origin URL. originURL, err := url.Parse(origin) if err != nil { + tracer.Warningf("api: denied request from %s: failed to parse origin header: %s", r.RemoteAddr, err) http.Error(lrw, "Invalid Origin.", http.StatusForbidden) return nil } // Check if the Origin matches the Host. - host := r.Header.Get("Host") switch { - case originURL.Host == host: + case originURL.Host == r.Host: // Origin (with port) matches Host. - case originURL.Hostname() == host: + case originURL.Hostname() == r.Host: // Origin (without port) matches Host. case devMode() && utils.StringInSlice(allowedDevCORSOrigins, originURL.Hostname()): @@ -130,6 +130,7 @@ func (mh *mainHandler) handle(w http.ResponseWriter, r *http.Request) error { // development origins. default: // Origin and Host do NOT match! + tracer.Warningf("api: denied request from %s: Origin (`%s`) and Host (`%s`) do not match", r.RemoteAddr, origin, r.Host) http.Error(lrw, "Cross-Origin Request Denied.", http.StatusForbidden) return nil From 4c7d61fad5e1df03dcd6ba8cb6c1c59eb616e645 Mon Sep 17 00:00:00 2001 From: Daniel Date: Thu, 20 Jan 2022 09:02:57 +0100 Subject: [PATCH 2/2] Buffer signal channel --- run/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/run/main.go b/run/main.go index 92f6828..0af7482 100644 --- a/run/main.go +++ b/run/main.go @@ -47,7 +47,7 @@ func Run() int { // Shutdown // catch interrupt for clean shutdown - signalCh := make(chan os.Signal) + signalCh := make(chan os.Signal, 1) if enableInputSignals { go inputSignals(signalCh) }