diff options
| author | bptato <nincsnevem662@gmail.com> | 2024-06-09 03:52:11 +0200 |
|---|---|---|
| committer | bptato <nincsnevem662@gmail.com> | 2024-06-09 03:54:16 +0200 |
| commit | 48be38b8d04b9ca0c6796e259d762e4533d9a458 (patch) | |
| tree | 5cc0597a81ac2d59e9226029186c42df27da900f /src | |
| parent | f042e9798f9137063e14322cdc53614d8aa10614 (diff) | |
| download | chawan-48be38b8d04b9ca0c6796e259d762e4533d9a458.tar.gz | |
pager: actually fix broken logic
ok we block if: * method is not GET * scheme is different * it is not the case that both the current and the target schemes are http/s
Diffstat (limited to 'src')
| -rw-r--r-- | src/local/pager.nim | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/local/pager.nim b/src/local/pager.nim index 00291e87..b8d8661e 100644 --- a/src/local/pager.nim +++ b/src/local/pager.nim @@ -1863,8 +1863,8 @@ proc handleEvent0(pager: Pager; container: Container; event: ContainerEvent): let url = event.request.url let sameScheme = container.url.scheme == url.scheme if event.request.httpMethod != hmGet and not sameScheme and - container.url.scheme notin ["http", "https"] and - url.scheme notin ["http", "https"]: + not (container.url.scheme in ["http", "https"] and + url.scheme in ["http", "https"]): pager.alert("Blocked cross-scheme POST: " & $url) return #TODO this is horrible UX, async actions shouldn't block input |