FINALLY fix the multiple injections bug

2026-06-15 18:13:40 +03:00 · 2022-08-13 23:58:57 -04:00
parent 84a19203c5
commit 30a538e85e
3 changed files with 4 additions and 3 deletions
--- a/backend/helpers.py
+++ b/backend/helpers.py
@@ -1,6 +1,7 @@
 import certifi
 import ssl
 import uuid
+import re

 from aiohttp.web import middleware, Response
 from subprocess import check_output
@@ -12,6 +13,8 @@ ssl_ctx = ssl.create_default_context(cafile=certifi.where())
 user = None
 group = None

+assets_regex = re.compile("^/plugins/.*/assets/.*")
+
 def get_ssl_context():
    return ssl_ctx

@@ -20,7 +23,7 @@ def get_csrf_token():

@middleware
 async def csrf_middleware(request, handler):
-    if str(request.method) == "OPTIONS" or request.headers.get('Authentication') == csrf_token or str(request.rel_url) == "/auth/token" or str(request.rel_url).startswith("/plugins/load_main/") or str(request.rel_url).startswith("/static/") or str(request.rel_url).startswith("/legacy/") or str(request.rel_url).startswith("/steam_resource/"):
+    if str(request.method) == "OPTIONS" or request.headers.get('Authentication') == csrf_token or str(request.rel_url) == "/auth/token" or str(request.rel_url).startswith("/plugins/load_main/") or str(request.rel_url).startswith("/static/") or str(request.rel_url).startswith("/legacy/") or str(request.rel_url).startswith("/steam_resource/") or assets_regex.match(str(request.rel_url)):
        return await handler(request)
    return Response(text='Forbidden', status='403')

--- a/backend/main.py
+++ b/backend/main.py
@@ -62,7 +62,6 @@ class PluginManager:
        self.updater = Updater(self)

        jinja_setup(self.web_app)
-        self.web_app.on_startup.append(self.inject_javascript)
        if CONFIG["chown_plugin_path"] == True:
            self.web_app.on_startup.append(chown_plugin_dir)
        self.loop.create_task(self.loader_reinjector())