Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix improper CORS return #4577

Merged
merged 1 commit into from Mar 5, 2019

Conversation

Projects
None yet
4 participants
@bigmstone
Copy link
Contributor

bigmstone commented Mar 5, 2019

Prior to this commit if you sent a request from an origin not listed in allowed_origins we would respond with null for the Access-Control-Allow-Origin header. Per mozilla's documentation null should not be used as some clients will allow the request to go through. This PR returns the first of our allowed origins if the requesting origin is not a supported origin.

bigmstone
Fix improper CORS return
Prior to this commit if you sent a request from an origin not listed in
`allowed_origins` we would respond with `null` for the
`Access-Control-Allow-Origin` header. Per
[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#Directives](mozilla's documentation)
null should not be used as some clients will allow the request to go
through. This commit returns the first of our allowed origins if the
requesting origin is not a supported origin.
@m4dcoder
Copy link
Contributor

m4dcoder left a comment

LGTM

@m4dcoder m4dcoder merged commit 7b53886 into master Mar 5, 2019

5 checks passed

ci/circleci: packages Your tests passed on CircleCI!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
st2/e2e/centos7 E2E tests have finished successfully
Details
st2/e2e/ubuntu16 E2E tests have finished successfully
Details
st2/e2e/ubuntu18 E2E tests have finished successfully
Details

@Kami Kami deleted the return-proper-cors-value branch Mar 6, 2019

@Kami Kami added this to the 2.10.3 milestone Mar 6, 2019

@Kami

This comment has been minimized.

Copy link
Member

Kami commented Mar 6, 2019

LGTM, probably also a good idea to document this behavior in st2docs?

@Quitten

This comment has been minimized.

Copy link

Quitten commented Mar 6, 2019

Hey, I am the reporter of this bug, I assigned the following CVE for it:
CVE-2019-9580
Thanks for fixing and fast cooperation :)

@bigmstone

This comment has been minimized.

Copy link
Contributor Author

bigmstone commented Mar 6, 2019

@Quitten thanks again. The patch release should be out today. Will keep you posted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.