opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-09-18 11:12:54 +08:00
Code Issues Packages Projects Releases Wiki Activity

Security: Use Header.Set and Header.Del for X-Grafana-User header (#25495)

Browse Source 
This ensures that the X-Grafana-User header can be trusted.
If the configuration enabled the setting of this header, the
server can now trust that X-Grafana-User is set/unset by Grafana.
Before this, an anonymous user could simply set the X-Grafana-User
header themselves (using the developer tool for example)
This commit is contained in:
Robbert Gurdeep Singh
2020-06-11 21:15:17 +02:00
committed by GitHub
parent 1e88e50822
commit 034abaa73a
3 changed files with 12 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
pkg/api/pluginproxy/utils.go
View File

@ -3,6 +3,7 @@ package pluginproxy
import (
"bytes"
"fmt"
"net/http"
"net/url"
"text/template"
@ -47,3 +48,11 @@ func InterpolateURL(anURL *url.URL, route *plugins.AppPluginRoute, orgID int64,
return result, err
}
// Set the X-Grafana-User header if needed (and remove if not)
func applyUserHeader(sendUserHeader bool, req *http.Request, user *models.SignedInUser) {
req.Header.Del("X-Grafana-User")
if sendUserHeader && !user.IsAnonymous {
req.Header.Set("X-Grafana-User", user.Login)
}
}