7b873b7746
The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems. CVE-2018-20744 Signed-off-by: Yoan Blanc <yoan@dosimple.ch>
72 lines
1.5 KiB
Go
72 lines
1.5 KiB
Go
package cors
|
|
|
|
import "strings"
|
|
|
|
const toLower = 'a' - 'A'
|
|
|
|
type converter func(string) string
|
|
|
|
type wildcard struct {
|
|
prefix string
|
|
suffix string
|
|
}
|
|
|
|
func (w wildcard) match(s string) bool {
|
|
return len(s) >= len(w.prefix)+len(w.suffix) && strings.HasPrefix(s, w.prefix) && strings.HasSuffix(s, w.suffix)
|
|
}
|
|
|
|
// convert converts a list of string using the passed converter function
|
|
func convert(s []string, c converter) []string {
|
|
out := []string{}
|
|
for _, i := range s {
|
|
out = append(out, c(i))
|
|
}
|
|
return out
|
|
}
|
|
|
|
// parseHeaderList tokenize + normalize a string containing a list of headers
|
|
func parseHeaderList(headerList string) []string {
|
|
l := len(headerList)
|
|
h := make([]byte, 0, l)
|
|
upper := true
|
|
// Estimate the number headers in order to allocate the right splice size
|
|
t := 0
|
|
for i := 0; i < l; i++ {
|
|
if headerList[i] == ',' {
|
|
t++
|
|
}
|
|
}
|
|
headers := make([]string, 0, t)
|
|
for i := 0; i < l; i++ {
|
|
b := headerList[i]
|
|
switch {
|
|
case b >= 'a' && b <= 'z':
|
|
if upper {
|
|
h = append(h, b-toLower)
|
|
} else {
|
|
h = append(h, b)
|
|
}
|
|
case b >= 'A' && b <= 'Z':
|
|
if !upper {
|
|
h = append(h, b+toLower)
|
|
} else {
|
|
h = append(h, b)
|
|
}
|
|
case b == '-' || b == '_' || (b >= '0' && b <= '9'):
|
|
h = append(h, b)
|
|
}
|
|
|
|
if b == ' ' || b == ',' || i == l-1 {
|
|
if len(h) > 0 {
|
|
// Flush the found header
|
|
headers = append(headers, string(h))
|
|
h = h[:0]
|
|
upper = true
|
|
}
|
|
} else {
|
|
upper = b == '-' || b == '_'
|
|
}
|
|
}
|
|
return headers
|
|
}
|