Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Harden CORS origin handling.
The non quoted dots, and the missing beginning/ending delimiters
allow to bypass restrictions when domains are allowed via
`*.good.com`, as the dots will match any char, allowing
for example `not-good.com` to slip through, and the domain name
could also be a subdomain of a different domain, like
`www.good.com.bad.com`.
  • Loading branch information
ndm2 committed Dec 11, 2015
1 parent 1158d60 commit 2f08e50
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 10 deletions.
4 changes: 2 additions & 2 deletions src/Network/Response.php
Expand Up @@ -1390,9 +1390,9 @@ protected function _normalizeCorsDomains($domains, $requestIsSSL = false)

$original = $preg = $domain;
if (strpos($domain, '://') === false) {
$preg = ($requestIsSSL ? 'https://' : 'http://') . $domain;
$domain = ($requestIsSSL ? 'https://' : 'http://') . $domain;
}
$preg = '@' . str_replace('*', '.*', $domain) . '@';
$preg = '@^' . str_replace('\*', '.*', preg_quote($domain, '@')) . '$@';
$result[] = compact('original', 'preg');
}
return $result;
Expand Down
25 changes: 17 additions & 8 deletions tests/TestCase/Network/ResponseTest.php
Expand Up @@ -1113,11 +1113,14 @@ public function corsData()
{
$fooRequest = new Request();

$secureRequest = $this->getMock('Cake\Network\Request', ['is']);
$secureRequest->expects($this->any())
->method('is')
->with('ssl')
->will($this->returnValue(true));
$secureRequest = function () {
$secureRequest = $this->getMock('Cake\Network\Request', ['is']);
$secureRequest->expects($this->any())
->method('is')
->with('ssl')
->will($this->returnValue(true));
return $secureRequest;
};

return [
[$fooRequest, null, '*', '', '', false, false],
Expand All @@ -1129,9 +1132,15 @@ public function corsData()
[$fooRequest, 'http://www.foo.com', 'https://*.foo.com', '', '', false, false],
[$fooRequest, 'http://www.foo.com', ['*.bar.com', '*.foo.com'], '', '', 'http://www.foo.com', false],

[$secureRequest, 'https://www.bar.com', 'www.bar.com', '', '', 'https://www.bar.com', false],
[$secureRequest, 'https://www.bar.com', 'http://www.bar.com', '', '', false, false],
[$secureRequest, 'https://www.bar.com', '*.bar.com', '', '', 'https://www.bar.com', false],
[$fooRequest, 'http://not-foo.com', '*.foo.com', '', '', false, false],
[$fooRequest, 'http://bad.academy', '*.acad.my', '', '', false, false],
[$fooRequest, 'http://www.foo.com.at.bad.com', '*.foo.com', '', '', false, false],
[$fooRequest, 'https://www.foo.com', '*.foo.com', '', '', false, false],

[$secureRequest(), 'https://www.bar.com', 'www.bar.com', '', '', 'https://www.bar.com', false],
[$secureRequest(), 'https://www.bar.com', 'http://www.bar.com', '', '', false, false],
[$secureRequest(), 'https://www.bar.com', '*.bar.com', '', '', 'https://www.bar.com', false],
[$secureRequest(), 'http://www.bar.com', '*.bar.com', '', '', false, false],

[$fooRequest, 'http://www.foo.com', '*', 'GET', '', '*', 'GET'],
[$fooRequest, 'http://www.foo.com', '*.foo.com', 'GET', '', 'http://www.foo.com', 'GET'],
Expand Down

0 comments on commit 2f08e50

Please sign in to comment.