Merge pull request #345 from python273/patch-3

Fix Origin header check bypass
2019-10-20 21:42:08 +02:00 · 2019-10-20 21:42:08 +02:00 · 79d252254f
commit 79d252254f
parent 64e677f5df f762c3ac0d
1 changed files with 2 additions and 2 deletions
--- a/pwnagotchi/ui/web.py
+++ b/pwnagotchi/ui/web.py
@ -136,12 +136,12 @@ class Handler(BaseHTTPRequestHandler):
    # check the Origin header vs CORS
    def _is_allowed(self):
        origin = self.headers.get('origin')
-        if origin == "":
+        if not origin:
            logging.warning("request with no Origin header from %s" % self.address_string())
            return False

        if Handler.AllowedOrigin != '*':
-            if origin != Handler.AllowedOrigin and not origin.starts_with(Handler.AllowedOrigin):
+            if origin != Handler.AllowedOrigin:
                logging.warning("request with blocked Origin from %s: %s" % (self.address_string(), origin))
                return False