From 7bbaa3050cbcb652a1ef6bbb2501291bb52dfc66 Mon Sep 17 00:00:00 2001 From: Azareal Date: Fri, 12 Jul 2019 08:09:05 +1000 Subject: [PATCH] Maintain panel phrase security boundaries. --- routes.go | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/routes.go b/routes.go index d78f11e8..697a62a4 100644 --- a/routes.go +++ b/routes.go @@ -237,17 +237,21 @@ func routeAPIPhrases(w http.ResponseWriter, r *http.Request, user c.User) c.Rout } var plist map[string]string - var notModified = false + var notModified, private bool var posLoop = func(positive string) c.RouteError { // ! Constrain it to a subset of phrases for now for _, item := range phraseWhitelist { if strings.HasPrefix(positive, item) { // TODO: Break this down into smaller security boundaries based on control panel sections? + // TODO: Do we have to be so strict with panel phrases? if strings.HasPrefix(positive, "panel") { - w.Header().Set("Cache-Control", "private") + private = true ok = user.IsSuperMod } else { ok = true + if notModified { + return nil + } w.Header().Set("ETag", etag) match := r.Header.Get("If-None-Match") if match != "" && strings.Contains(match, etag) { @@ -272,9 +276,6 @@ func routeAPIPhrases(w http.ResponseWriter, r *http.Request, user c.User) c.Rout if rerr != nil { return rerr } - if notModified { - break - } pPhrases, ok := phrases.GetTmplPhrasesByPrefix(positive) if !ok { return c.PreErrorJS("No such prefix", w, r) @@ -294,7 +295,10 @@ func routeAPIPhrases(w http.ResponseWriter, r *http.Request, user c.User) c.Rout } plist = pPhrases } - if notModified { + + if private { + w.Header().Set("Cache-Control", "private") + } else if notModified { w.WriteHeader(http.StatusNotModified) return nil }