Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Insecure allowedOrigins validation #691
Autobahn|Python incorrectly checks the Origin header when the 'allowedOrigins' value is set.
The following will set
Then the following connection request will result in a valid 101 Protocol Switch Response:
This is due to the wildcard2patterns functions, which turns
Okay, I think I incorporated the feedback in the PR.
Testing with Chrome on
I also introduced an
To partially mitigate this I made the default value in
There's also an issue with port-matching to consider. As it sits, the only configuration is the list of
I guess a 4th way would be to run the (fixed/wrapped) reg-exs on any incoming complete Origin headers (as now) if
Is there documentation for this change anywhere? It's broken my origin validation, and I'm having trouble figuring out how to fix it. In particular, what should both the allowedOrigin list and the Origin header look like now, in order to match?
I'm seeing errors such as
After adding the scheme to my allowedOrigins list, I see:
It does work when adding both the scheme and port to allowedOrigins, which I assume is because the origin port differs from the server port. A pointer to some explicit documentation about that necessity would still be appreciated. Thanks!