PLT-6393: Fix Websocket CORS header check. (#6335)

2025-02-25 18:55:24 -06:00 · 2017-05-04 22:21:28 +01:00
parent 010ec23af3
commit 85c2d5a478
2 changed files with 3 additions and 3 deletions
--- a/api/websocket_test.go
+++ b/api/websocket_test.go
@@ -345,7 +345,7 @@ func TestWebsocketOriginSecurity(t *testing.T) {
 	}

 	// Should succeed now because matching CORS
-	*utils.Cfg.ServiceSettings.AllowCorsFrom = "www.evil.com"
+	*utils.Cfg.ServiceSettings.AllowCorsFrom = "http://www.evil.com"
 	_, _, err = websocket.DefaultDialer.Dial(url+model.API_URL_SUFFIX_V3+"/users/websocket", http.Header{
 		"Origin": []string{"http://www.evil.com"},
 	})
@@ -354,7 +354,7 @@ func TestWebsocketOriginSecurity(t *testing.T) {
 	}

 	// Should fail because non-matching CORS
-	*utils.Cfg.ServiceSettings.AllowCorsFrom = "www.good.com"
+	*utils.Cfg.ServiceSettings.AllowCorsFrom = "http://www.good.com"
 	_, _, err = websocket.DefaultDialer.Dial(url+model.API_URL_SUFFIX_V3+"/users/websocket", http.Header{
 		"Origin": []string{"http://www.evil.com"},
 	})
--- a/utils/api.go
+++ b/utils/api.go
@@ -15,7 +15,7 @@ type OriginCheckerProc func(*http.Request) bool

 func OriginChecker(r *http.Request) bool {
 	origin := r.Header.Get("Origin")
-	return *Cfg.ServiceSettings.AllowCorsFrom == "*" || strings.Contains(origin, *Cfg.ServiceSettings.AllowCorsFrom)
+	return *Cfg.ServiceSettings.AllowCorsFrom == "*" || strings.Contains(*Cfg.ServiceSettings.AllowCorsFrom, origin)
 }

 func GetOriginChecker(r *http.Request) OriginCheckerProc {