Authenticate requests with the Origin header other than 127.0.0.1 #9180

2234839 · 2023-09-13T13:36:26Z

对于来自非Origin 127.0.0.1 的请求应当需要鉴权

Is there an existing issue for this?

I have searched the existing issues

Can the issue be reproduced with the default theme (daylight/midnight)?

I was able to reproduce the issue with the default theme

Could the issue be due to extensions?

I've ruled out the possibility that the extension is causing the problem.

Describe the problem

虽然不启用非 127.0.0.1 的网络伺服功能，但 127.0.0.1 的 api 却可以被随意访问，建议对于非 127.0.0.1 来源的请求也要开启鉴权才能访问

例如网站 oceanpress-js.pages.dev/ 可以直接访问未开启鉴权的思源api

这样是存在安全风险的，用户浏览器访问恶意网页之后，网页脚本可以通过思源 api 对用户发起攻击

Expected result

对于请求头Origin非本地地址的应当要求鉴权

Screenshot or screen recording presentation

No response

Version environment

- Version: v2.10.5
- Operating System: 
- Browser (if used):

Log file

none

More information

No response

#9180

* commit 'a84cd4a6dd0b4afd7b082ae40377427b4eb6449b': (63 commits) 🐛 fix siyuan-note#9178 🎨 fix siyuan-note#9184 🎨 dock 🎨 resize 🎨 resize 🎨 siyuan-note#9182 🎨 Improve update tx 🎨 Improve update tx 📝 https://ld246.com/article/1694622447855 🎨 Improve update tx 📝 https://ld246.com/article/1694622447855 🎨 Sort tx queue Undo and then redo after Shift+Enter trigger status exception siyuan-note#9178 🎨 siyuan-note#9152 🎨 fix siyuan-note#9152 🎨 fix siyuan-note#9179 🎨 fix siyuan-note#9179 🔒 Authenticate requests with the Origin header other than 127.0.0.1 Fix siyuan-note#9180 🎨 fix siyuan-note#9177 🎨 Update text code block line num tip 🎨 tooltip ... # Conflicts: # app/src/config/account.ts

* develop: (63 commits) 🐛 fix siyuan-note#9178 🎨 fix siyuan-note#9184 🎨 dock 🎨 resize 🎨 resize 🎨 siyuan-note#9182 🎨 Improve update tx 🎨 Improve update tx 📝 https://ld246.com/article/1694622447855 🎨 Improve update tx 📝 https://ld246.com/article/1694622447855 🎨 Sort tx queue Undo and then redo after Shift+Enter trigger status exception siyuan-note#9178 🎨 siyuan-note#9152 🎨 fix siyuan-note#9152 🎨 fix siyuan-note#9179 🎨 fix siyuan-note#9179 🔒 Authenticate requests with the Origin header other than 127.0.0.1 Fix siyuan-note#9180 🎨 fix siyuan-note#9177 🎨 Update text code block line num tip 🎨 tooltip ...

…9180

88250 changed the title ~~对于来自非Origin 127.0.0.1 的请求应当需要鉴权~~ Authenticate requests with the Origin header other than 127.0.0.1 Sep 13, 2023

88250 self-assigned this Sep 13, 2023

88250 added the Enhancement label Sep 13, 2023

88250 added this to the 2.10.6 milestone Sep 13, 2023

88250 added a commit that referenced this issue Sep 13, 2023

🔒 Authenticate requests with the Origin header other than 127.0.0.1 Fix

Unverified

This user has not yet uploaded their public signing key.

GPG key ID: 136F30F901A2231D

Learn about vigilant mode

94857b3

#9180

88250 closed this as completed Sep 13, 2023

88250 added a commit that referenced this issue Sep 17, 2023

🎨 Authenticate requests with the Origin header other than 127.0.0.1 #…

0e7dcc0

…9180

88250 mentioned this issue Sep 19, 2023

Improve auth failed tip for browser access on non 127.0.0.1 #9224

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Authenticate requests with the Origin header other than 127.0.0.1 #9180

Authenticate requests with the Origin header other than 127.0.0.1 #9180

2234839 commented Sep 13, 2023 •

edited by 88250

Loading

Authenticate requests with the Origin header other than 127.0.0.1 #9180

Authenticate requests with the Origin header other than 127.0.0.1 #9180

Comments

2234839 commented Sep 13, 2023 • edited by 88250 Loading

Is there an existing issue for this?

Can the issue be reproduced with the default theme (daylight/midnight)?

Could the issue be due to extensions?

Describe the problem

Expected result

Screenshot or screen recording presentation

Version environment

Log file

More information

2234839 commented Sep 13, 2023 •

edited by 88250

Loading