From 313da6b5696088b6b493695000ef790f277ed505 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20=27Necoro=27=20Neumann?= Date: Sun, 9 Jan 2022 23:53:26 +0100 Subject: Ensure that cookies are sent only to the correct domains. We want to avoid that authentication data is sent when fetching images from external sources, for instance. --- config.yml.example | 2 ++ internal/feed/feed.go | 11 ++++++++++- internal/http/client.go | 42 ++++++++++++++++++++++++++++++++++++------ 3 files changed, 48 insertions(+), 7 deletions(-) diff --git a/config.yml.example b/config.yml.example index e933ade..1c0e597 100644 --- a/config.yml.example +++ b/config.yml.example @@ -96,6 +96,8 @@ options: cookies: - name: authentication value: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhY2N... + # if the domain value is different from the domain of the RSS feed + domain: foo.bar.ex ## Feeds # Each feed must have a name, and a URL or Exec argument. The name must be unique. diff --git a/internal/feed/feed.go b/internal/feed/feed.go index f31de65..f403036 100644 --- a/internal/feed/feed.go +++ b/internal/feed/feed.go @@ -21,6 +21,7 @@ type Feed struct { items []Item Global config.GlobalOptions extID FeedID + jar http.CookieJar } type FeedID interface { @@ -35,10 +36,18 @@ type Descriptor struct { } func (feed *Feed) Context() http.Context { + if feed.Url != "" && len(feed.Cookies) > 0 && feed.jar == nil { + var err error + feed.jar, err = http.JarOfCookies(feed.Cookies, feed.Url) + if err != nil { + log.Errorf("Error while initialising cookies for feed '%s': %w", feed.Name, err) + } + } + return http.Context{ Timeout: feed.Global.Timeout, DisableTLS: feed.NoTLS, - Cookies: feed.Cookies, + Jar: feed.jar, } } diff --git a/internal/http/client.go b/internal/http/client.go index 4272a5b..b47203d 100644 --- a/internal/http/client.go +++ b/internal/http/client.go @@ -5,6 +5,8 @@ import ( "crypto/tls" "fmt" "net/http" + "net/http/cookiejar" + urlpkg "net/url" "time" ) @@ -23,7 +25,7 @@ type Error struct { type Context struct { Timeout int DisableTLS bool - Cookies []Cookie + Jar CookieJar } func (err Error) Error() string { @@ -55,8 +57,35 @@ func client(disableTLS bool) *http.Client { var noop ctxt.CancelFunc = func() {} type Cookie struct { - Name string - Value string + Name string + Value string + Domain string +} + +type CookieJar http.CookieJar + +func JarOfCookies(cookies []Cookie, url string) (CookieJar, error) { + jar, err := cookiejar.New(nil) + if err != nil { + return nil, err + } + + cs := make([]*http.Cookie, len(cookies)) + for i, c := range cookies { + cs[i] = &http.Cookie{Name: c.Name, Value: c.Value, Domain: c.Domain} + } + + u, err := urlpkg.Parse(url) + if err != nil { + return nil, err + } + + // ignore the path of the URL + u.Path = "" + + jar.SetCookies(u, cs) + + return jar, nil } func Get(url string, ctx Context) (resp *http.Response, cancel ctxt.CancelFunc, err error) { @@ -82,9 +111,10 @@ func Get(url string, ctx Context) (resp *http.Response, cancel ctxt.CancelFunc, } req.Header.Set("User-Agent", "Feed2Imap-Go/1.0") - for _, c := range ctx.Cookies { - cookie := http.Cookie{Name: c.Name, Value: c.Value} - req.AddCookie(&cookie) + if ctx.Jar != nil { + for _, c := range ctx.Jar.Cookies(req.URL) { + req.AddCookie(c) + } } resp, err = client(ctx.DisableTLS).Do(req) -- cgit v1.2.3