Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-02-14 23:42:08 -05:00
Code Issues Actions Packages Projects Releases Wiki Activity

admin: Reject requests with Sec-Fetch-Mode headers
Some checks failed
Tests / test (./cmd/caddy/caddy, ~1.25.0, ubuntu-latest, 0, 1.25, linux) (push) Failing after 16s
Details
Tests / test (s390x on IBM Z) (push) Has been skipped
Details
Tests / goreleaser-check (push) Has been skipped
Details
Cross-Build / build (~1.25.0, 1.25, aix) (push) Failing after 14s
Details
Cross-Build / build (~1.25.0, 1.25, darwin) (push) Failing after 14s
Details
Cross-Build / build (~1.25.0, 1.25, dragonfly) (push) Failing after 14s
Details
Cross-Build / build (~1.25.0, 1.25, freebsd) (push) Failing after 13s
Details
Cross-Build / build (~1.25.0, 1.25, illumos) (push) Failing after 14s
Details
Cross-Build / build (~1.25.0, 1.25, linux) (push) Failing after 13s
Details
Cross-Build / build (~1.25.0, 1.25, netbsd) (push) Failing after 13s
Details
Cross-Build / build (~1.25.0, 1.25, openbsd) (push) Failing after 15s
Details
Cross-Build / build (~1.25.0, 1.25, solaris) (push) Failing after 17s
Details
Cross-Build / build (~1.25.0, 1.25, windows) (push) Failing after 17s
Details
Lint / lint (ubuntu-latest, linux) (push) Failing after 14s
Details
Lint / govulncheck (push) Successful in 1m23s
Details
Lint / dependency-review (push) Failing after 14s
Details
OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 15s
Details
Tests / test (./cmd/caddy/caddy, ~1.25.0, macos-14, 0, 1.25, mac) (push) Has been cancelled
Details
Tests / test (./cmd/caddy/caddy.exe, ~1.25.0, windows-latest, True, 1.25, windows) (push) Has been cancelled
Details
Lint / lint (macos-14, mac) (push) Has been cancelled
Details
Lint / lint (windows-latest, windows) (push) Has been cancelled
Details

Browse Source 
And buggy Origin: null headers.

Resolves a low-risk security report by @1seal.
This commit is contained in:
Matthew Holt 2026-02-05 09:39:11 -07:00
parent 40927d2f75
commit 42ca010e9d
No known key found for this signature in database
1 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
admin.go
View File

@ -807,13 +807,38 @@ func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
}
}
// common mitigations in browser contexts
if strings.Contains(r.Header.Get("Upgrade"), "websocket") {
// I've never been able demonstrate a vulnerability myself, but apparently
// WebSocket connections originating from browsers aren't subject to CORS
// restrictions, so we'll just be on the safe side
h.handleError(w, r, fmt.Errorf("websocket connections aren't allowed"))
h.handleError(w, r, APIError{
HTTPStatus: http.StatusBadRequest,
Err: errors.New("websocket connections aren't allowed"),
Message: "WebSocket connections aren't allowed.",
})
return
}
if strings.Contains(r.Header.Get("Sec-Fetch-Mode"), "no-cors") {
// turns out web pages can just disable the same-origin policy (!???!?)
// but at least browsers let us know that's the case, holy heck
h.handleError(w, r, APIError{
HTTPStatus: http.StatusBadRequest,
Err: errors.New("client attempted to make request by disabling same-origin policy using no-cors mode"),
Message: "Disabling same-origin restrictions is not allowed.",
})
return
}
if r.Header.Get("Origin") == "null" {
// bug in Firefox in certain cross-origin situations (yikes?)
// (not strictly a security vuln on its own, but it's red flaggy,
// since it seems to manifest in cross-origin contexts)
h.handleError(w, r, APIError{
HTTPStatus: http.StatusBadRequest,
Err: errors.New("invalid origin 'null'"),
Message: "Buggy browser is sending null Origin header.",
})
}
if h.enforceHost {
// DNS rebinding mitigation