Fix XSS regressions
The router has an old sanity check in it to verify that nodes are
simple. This is no longer the case, as we can have multiple,
overlapping routes between different handlers, so non-simple root nodes
are allowed.
The commit here broke a couple things.
0260d9d6b252d5fef81a51d4797e27a6893827f4
First, when that route gets injected, the root node is no longer simple,
as the first root in the trie can be a complex node. This should be ok,
and this commit comments out the check.
Also, because the meson node for the option was loaded directly into
set10, instead of the boolean equivalent, the XSS feature always gets
enabled, regardless of whether or not that's what the user wanted. The
fix to this was to simply include a .enabled(), which correctly calls
the bool.
Tested:
Built with insecure-disable-xss set, and observed crash was removed.
Tried several routes including /redfish/v1 and observed them working.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: Ib9fb55a61796ddbda65b7ee5d2803a5cbd2ae75f
diff --git a/http/routing.hpp b/http/routing.hpp
index b4ebede..65c7b70 100644
--- a/http/routing.hpp
+++ b/http/routing.hpp
@@ -714,11 +714,6 @@
public:
void validate()
{
- if (!head()->isSimpleNode())
- {
- throw std::runtime_error(
- "Internal error: Trie header should be simple!");
- }
optimize();
}
diff --git a/meson.build b/meson.build
index 27f25ec..35f4f1d 100644
--- a/meson.build
+++ b/meson.build
@@ -342,7 +342,7 @@
conf_data = configuration_data()
conf_data.set('BMCWEB_HTTP_REQ_BODY_LIMIT_MB', get_option('http-body-limit'))
xss_enabled = get_option('insecure-disable-xss')
-conf_data.set10('BMCWEB_INSECURE_DISABLE_XSS_PREVENTION', xss_enabled)
+conf_data.set10('BMCWEB_INSECURE_DISABLE_XSS_PREVENTION', xss_enabled.enabled())
conf_data.set('MESON_INSTALL_PREFIX', get_option('prefix'))
configure_file(input: 'bmcweb_config.h.in',
output: 'bmcweb_config.h',