public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security: Use Header.Set and Header.Del for X-Grafana-User header (#25495)

Browse Source 
This ensures that the X-Grafana-User header can be trusted.
If the configuration enabled the setting of this header, the
server can now trust that X-Grafana-User is set/unset by Grafana.
Before this, an anonymous user could simply set the X-Grafana-User
header themselves (using the developer tool for example)

(cherry picked from commit 034abaa73a)
This commit is contained in:
Robbert Gurdeep Singh
2020-06-11 21:15:17 +02:00
committed by Dominik Prokop
parent 1ccf307efe
commit d7aa9959a4
3 changed files with 12 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/api/pluginproxy/pluginproxy.go
+2 -4
View File
@@ -79,11 +79,9 @@ func NewApiPluginProxy(ctx *models.ReqContext, proxyPath string, route *plugins.
return
}
req.Header.Add("X-Grafana-Context", string(ctxJSON))
req.Header.Set("X-Grafana-Context", string(ctxJSON))
if cfg.SendUserHeader && !ctx.SignedInUser.IsAnonymous {
req.Header.Add("X-Grafana-User", ctx.SignedInUser.Login)
}
applyUserHeader(cfg.SendUserHeader, req, ctx.SignedInUser)
if len(route.Headers) > 0 {
headers, err := getHeaders(route, ctx.OrgId, appID)