Headline
CVE-2017-20146: [bugfix] Don't return the origin header when configured to * (#116) · gorilla/handlers@9066371
Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.
@@ -327,10 +327,45 @@ func TestCORSHandlerWithCustomValidator(t *testing.T) { return false }
CORS(AllowedOriginValidator(originValidator))(testHandler).ServeHTTP(rr, r) // Specially craft a CORS object. handleFunc := func(h http.Handler) http.Handler { c := &cors{ allowedMethods: defaultCorsMethods, allowedHeaders: defaultCorsHeaders, allowedOrigins: []string{"http://a.example.com"}, h: h, } AllowedOriginValidator(originValidator)© return c }
handleFunc(testHandler).ServeHTTP(rr, r) header := rr.HeaderMap.Get(corsAllowOriginHeader) if header != r.URL.String() { t.Fatalf("bad header: expected %s to be %s, got %s.", corsAllowOriginHeader, r.URL.String(), header) }
}
func TestCORSAllowStar(t *testing.T) { r := newRequest("GET", “http://a.example.com”) r.Header.Set("Origin", r.URL.String()) rr := httptest.NewRecorder()
testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}) originValidator := func(origin string) bool { if strings.HasSuffix(origin, “.example.com”) { return true } return false }
CORS(AllowedOriginValidator(originValidator))(testHandler).ServeHTTP(rr, r) header := rr.HeaderMap.Get(corsAllowOriginHeader) // Because * is the default CORS policy (which is safe), we should be // expect a * returned here as the Access Control Allow Origin header if header != “*” { t.Fatalf("bad header: expected %s to be %s, got %s.", corsAllowOriginHeader, r.URL.String(), header) }
}
Related news
Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.