Skip to content

Commit afc1bdf

Browse files
committed
Enforce 'Origin' validation
1 parent 8becdaf commit afc1bdf

File tree

3 files changed

+11
-1
lines changed

3 files changed

+11
-1
lines changed

Diff for: README.md

+1
Original file line numberDiff line numberDiff line change
@@ -135,6 +135,7 @@ This next release focus on two-factor-authentication as a measure to increase se
135135
* Limit incorrect attempts to change the user's password to prevent brute force attacks #225 [CVE-2022-3273](https://nvd.nist.gov/vuln/detail/CVE-2022-3273)
136136
* Enforce password policy new password cannot be set as new password [CVE-2022-3376](https://nvd.nist.gov/vuln/detail/CVE-2022-3376)
137137
* Enforce better rate limit on login, mfa, password change and API [CVE-2022-3439](https://nvd.nist.gov/vuln/detail/CVE-2022-3439) [CVE-2022-3456](https://nvd.nist.gov/vuln/detail/CVE-2022-3456)
138+
* Enforce 'Origin' validation [CVE-2022-3457](https://nvd.nist.gov/vuln/detail/CVE-2022-3457)
138139

139140
Breaking changes:
140141

Diff for: rdiffweb/controller/tests/test_secure_headers.py

+9
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,15 @@ def test_post_with_wrong_origin(self):
9393
self.assertStatus(403)
9494
self.assertInBody('Unexpected Origin header')
9595

96+
def test_post_with_prefixed_origin(self):
97+
# Given a POST request made to rdiffweb
98+
# When the request is made using a different origin
99+
base = 'http://%s:%s' % (self.HOST + 'anything.com', self.PORT)
100+
self.getPage('/dashboard/', headers=[('Origin', base)], method='POST')
101+
# Then the request is accepted with 200 OK
102+
self.assertStatus(403)
103+
self.assertInBody('Unexpected Origin header')
104+
96105
def test_post_with_valid_origin(self):
97106
# Given a POST request made to rdiffweb
98107
# When the request is made using a different origin

Diff for: rdiffweb/tools/secure_headers.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ def set_headers(
5959
# Check if Origin matches our target.
6060
if request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
6161
origin = request.headers.get('Origin', None)
62-
if origin and not origin.startswith(request.base):
62+
if origin and origin != request.base:
6363
raise cherrypy.HTTPError(403, 'Unexpected Origin header')
6464

6565
# Check if https is enabled

0 commit comments

Comments
 (0)