Mirrors/blakeblackshear.frigate
1
0
Fork 0
mirror of https://github.com/blakeblackshear/frigate.git synced 2025-05-07 01:16:43 +02:00
Code Issues Projects Releases Wiki Activity

Fix csrf (#16230)

Browse Source 
* Fix csrf check

* Simplify
This commit is contained in:
Nicolas Mowen 2025-01-30 10:27:38 -07:00 committed by GitHub
parent 7b65bcf13c
commit cea210d800
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
frigate/api/fastapi_app.py
View File

@ -26,14 +26,13 @@ from frigate.storage import StorageMaintainer
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
def check_csrf(request: Request): def check_csrf(request: Request) -> bool:
if request.method in ["GET", "HEAD", "OPTIONS", "TRACE"]: if request.method in ["GET", "HEAD", "OPTIONS", "TRACE"]:
pass return True
if "origin" in request.headers and "x-csrf-token" not in request.headers: if "origin" in request.headers and "x-csrf-token" not in request.headers:
return JSONResponse( return False
content={"success": False, "message": "Missing CSRF header"},
status_code=401, return True
)
# Used to retrieve the remote-user header: https://starlette-context.readthedocs.io/en/latest/plugins.html#easy-mode # Used to retrieve the remote-user header: https://starlette-context.readthedocs.io/en/latest/plugins.html#easy-mode
@ -71,7 +70,12 @@ def create_fastapi_app(
@app.middleware("http") @app.middleware("http")
async def frigate_middleware(request: Request, call_next): async def frigate_middleware(request: Request, call_next):
# Before request # Before request
check_csrf(request) if not check_csrf(request):
return JSONResponse(
content={"success": False, "message": "Missing CSRF header"},
status_code=401,
)
if database.is_closed(): if database.is_closed():
database.connect() database.connect()