Merge pull request #345 from python273/patch-3
Fix Origin header check bypass
This commit is contained in:
commit
79d252254f
@ -136,12 +136,12 @@ class Handler(BaseHTTPRequestHandler):
|
|||||||
# check the Origin header vs CORS
|
# check the Origin header vs CORS
|
||||||
def _is_allowed(self):
|
def _is_allowed(self):
|
||||||
origin = self.headers.get('origin')
|
origin = self.headers.get('origin')
|
||||||
if origin == "":
|
if not origin:
|
||||||
logging.warning("request with no Origin header from %s" % self.address_string())
|
logging.warning("request with no Origin header from %s" % self.address_string())
|
||||||
return False
|
return False
|
||||||
|
|
||||||
if Handler.AllowedOrigin != '*':
|
if Handler.AllowedOrigin != '*':
|
||||||
if origin != Handler.AllowedOrigin and not origin.starts_with(Handler.AllowedOrigin):
|
if origin != Handler.AllowedOrigin:
|
||||||
logging.warning("request with blocked Origin from %s: %s" % (self.address_string(), origin))
|
logging.warning("request with blocked Origin from %s: %s" % (self.address_string(), origin))
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user