Merge pull request #345 from python273/patch-3

Fix Origin header check bypass
This commit is contained in:
evilsocket 2019-10-20 21:42:08 +02:00 committed by GitHub
commit 79d252254f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -136,12 +136,12 @@ class Handler(BaseHTTPRequestHandler):
# check the Origin header vs CORS # check the Origin header vs CORS
def _is_allowed(self): def _is_allowed(self):
origin = self.headers.get('origin') origin = self.headers.get('origin')
if origin == "": if not origin:
logging.warning("request with no Origin header from %s" % self.address_string()) logging.warning("request with no Origin header from %s" % self.address_string())
return False return False
if Handler.AllowedOrigin != '*': if Handler.AllowedOrigin != '*':
if origin != Handler.AllowedOrigin and not origin.starts_with(Handler.AllowedOrigin): if origin != Handler.AllowedOrigin:
logging.warning("request with blocked Origin from %s: %s" % (self.address_string(), origin)) logging.warning("request with blocked Origin from %s: %s" % (self.address_string(), origin))
return False return False