diff options
| author | Ed Tanous <ed@tanous.net> | 2021-02-07 22:31:07 +0300 |
|---|---|---|
| committer | Ed Tanous <ed@tanous.net> | 2021-02-19 23:40:24 +0300 |
| commit | 0260d9d6b252d5fef81a51d4797e27a6893827f4 (patch) | |
| tree | fbaaae47d3a1ad2997f26b52a6760e1dac5f2eef /src/webserver_main.cpp | |
| parent | 71f52d96b51bda2a2f00374237f368e980396692 (diff) | |
| download | bmcweb-0260d9d6b252d5fef81a51d4797e27a6893827f4.tar.xz | |
Fix compile issue on DISABLE_XSS_PREVENTION
Fixes #178
Every few months, this option breaks because of some combination of
compiler options. I'm hoping that this is a more permenant fix, and
will keep it working forever.
Functionally, this commit changes a couple things.
1. It fixes the regression that snuck into this option, by making the
req variable optional using the c++17 [[maybe_unused]] syntax.
2. It promotes the BMCWEB_INSECURE_DISABLE_XSS_PREVENTION into the
config.h file, and a constexpr variable rather than a #define. This has
the benefit that both the code paths in question will compiled
regardless of whether or not they're used, thus ensuring they stay
buildable forever. The optimization path will still delete the code
later, but we won't have so many one-off build options breaking. We
should move all the other feature driven #ifdefs to this pattern in the
future.
3. As a mechnaical change to #2, this adds a config.h.in, which delcares
the various variables as their respective constexpr types. This allows
the constants to be used in a cleaner way.
As an aside, at some point, DISABLE_XSS_PREVENTION should really move to
a non-persistent runtime option rather than a compile time option. Too
many people get hung up on having to recompile their BMC, and moving it
to runtime under admin credentials is no more a security risk.
As another aside, we should move all the other #ifdef style options to
this pattern. It seems like it would help with keeping all options
buildable, and is definitely more modern than #ifdefs for features,
especially if they don't require #include changes or linker changes.
Tested:
enabled meson option insecure-disable-xss, and verified code builds and
works again.
Change-Id: Id03faa17cffdbabaf4e5b0d46b24bb58b7f44669
Signed-off-by: Ed Tanous <edtanous@google.com>
Diffstat (limited to 'src/webserver_main.cpp')
| -rw-r--r-- | src/webserver_main.cpp | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/webserver_main.cpp b/src/webserver_main.cpp index b5bc28cac9..014c2ff454 100644 --- a/src/webserver_main.cpp +++ b/src/webserver_main.cpp @@ -2,6 +2,7 @@ #include <app.hpp> #include <boost/asio/io_context.hpp> +#include <cors_preflight.hpp> #include <dbus_monitor.hpp> #include <dbus_singleton.hpp> #include <hostname_monitor.hpp> @@ -99,9 +100,10 @@ int main(int /*argc*/, char** /*argv*/) crow::ibm_mc_lock::Lock::getInstance(); #endif -#ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION - cors_preflight::requestRoutes(app); -#endif + if (bmcwebInsecureDisableXssPrevention) + { + cors_preflight::requestRoutes(app); + } crow::login_routes::requestRoutes(app); |