Merge pull request #345 from python273/patch-3
Fix Origin header check bypass
This commit is contained in:
commit
79d252254f
@ -136,12 +136,12 @@ class Handler(BaseHTTPRequestHandler):
|
||||
# check the Origin header vs CORS
|
||||
def _is_allowed(self):
|
||||
origin = self.headers.get('origin')
|
||||
if origin == "":
|
||||
if not origin:
|
||||
logging.warning("request with no Origin header from %s" % self.address_string())
|
||||
return False
|
||||
|
||||
if Handler.AllowedOrigin != '*':
|
||||
if origin != Handler.AllowedOrigin and not origin.starts_with(Handler.AllowedOrigin):
|
||||
if origin != Handler.AllowedOrigin:
|
||||
logging.warning("request with blocked Origin from %s: %s" % (self.address_string(), origin))
|
||||
return False
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user