Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie suffix calculation in the frontend is broken for script paths with more than one / #4656

Closed
foosel opened this issue Sep 30, 2022 · 1 comment
Closed

Cookie suffix calculation in the frontend is broken for script paths with more than one / #4656

foosel opened this issue Sep 30, 2022 · 1 comment
Assignees
@foosel
Labels
approved Issue has been approved by the bot or manually for further processing bug Issue describes a bug done Done but not yet released frontend Related to the frontend
Milestone
1.8.x

Comments

@foosel
Copy link
Member

foosel commented Sep 30, 2022

Problem

OctoPrint's client side getCookieSuffix is currently only replacing the first occurrence of / in the path for the R suffix component with a |. It should be replacing all.

Therefore something like /api/hassio/<token> gets turned into _P443_R|api/hassio_ingress/<token> instead of _P443_R|api|hassio_ingress|<token>.

This breaks CSRF validation in setups where OctoPrint is accessed through script paths with multiple path components.

Solution

In this line replace

return "_P" + port + "_R" + path.replace(/\//, "|");

with

return "_P" + port + "_R" + path.replace(/\//g, "|");

Additional information

As mentioned on Discord.
@foosel foosel added bug Issue describes a bug frontend Related to the frontend approved Issue has been approved by the bot or manually for further processing labels Sep 30, 2022
@foosel foosel added this to the 1.8.x milestone Sep 30, 2022
@foosel foosel self-assigned this Sep 30, 2022
@foosel
Copy link
Member Author

foosel commented Oct 5, 2022

Fixed by the above commit, ready for 1.8.5.

@foosel foosel added the done Done but not yet released label Oct 5, 2022
@foosel foosel closed this as completed in 5091487 Oct 17, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 18, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@foosel foosel

Labels
approved Issue has been approved by the bot or manually for further processing bug Issue describes a bug done Done but not yet released frontend Related to the frontend
Projects
OctoPrint Backlog
Status: Done
Milestone
1.8.x
Development

No branches or pull requests
1 participant
@foosel