diff options
author | George Goldberg <george@gberg.me> | 2017-05-04 22:21:28 +0100 |
---|---|---|
committer | Joram Wilander <jwawilander@gmail.com> | 2017-05-04 17:21:28 -0400 |
commit | 85c2d5a478008cfa9030e1bddc23fa91e232a573 (patch) | |
tree | acbbee15d86c66d32691b07cb9dd57f0ee6ba3e7 | |
parent | 010ec23af38c7c15f133f9327685b9813efb3e43 (diff) | |
download | chat-85c2d5a478008cfa9030e1bddc23fa91e232a573.tar.gz chat-85c2d5a478008cfa9030e1bddc23fa91e232a573.tar.bz2 chat-85c2d5a478008cfa9030e1bddc23fa91e232a573.zip |
PLT-6393: Fix Websocket CORS header check. (#6335)
-rw-r--r-- | api/websocket_test.go | 4 | ||||
-rw-r--r-- | utils/api.go | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/api/websocket_test.go b/api/websocket_test.go index bda014f06..a65ebc02e 100644 --- a/api/websocket_test.go +++ b/api/websocket_test.go @@ -345,7 +345,7 @@ func TestWebsocketOriginSecurity(t *testing.T) { } // Should succeed now because matching CORS - *utils.Cfg.ServiceSettings.AllowCorsFrom = "www.evil.com" + *utils.Cfg.ServiceSettings.AllowCorsFrom = "http://www.evil.com" _, _, err = websocket.DefaultDialer.Dial(url+model.API_URL_SUFFIX_V3+"/users/websocket", http.Header{ "Origin": []string{"http://www.evil.com"}, }) @@ -354,7 +354,7 @@ func TestWebsocketOriginSecurity(t *testing.T) { } // Should fail because non-matching CORS - *utils.Cfg.ServiceSettings.AllowCorsFrom = "www.good.com" + *utils.Cfg.ServiceSettings.AllowCorsFrom = "http://www.good.com" _, _, err = websocket.DefaultDialer.Dial(url+model.API_URL_SUFFIX_V3+"/users/websocket", http.Header{ "Origin": []string{"http://www.evil.com"}, }) diff --git a/utils/api.go b/utils/api.go index 55f84ef92..663f53c16 100644 --- a/utils/api.go +++ b/utils/api.go @@ -15,7 +15,7 @@ type OriginCheckerProc func(*http.Request) bool func OriginChecker(r *http.Request) bool { origin := r.Header.Get("Origin") - return *Cfg.ServiceSettings.AllowCorsFrom == "*" || strings.Contains(origin, *Cfg.ServiceSettings.AllowCorsFrom) + return *Cfg.ServiceSettings.AllowCorsFrom == "*" || strings.Contains(*Cfg.ServiceSettings.AllowCorsFrom, origin) } func GetOriginChecker(r *http.Request) OriginCheckerProc { |