arno/isso
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

return first item of [general] -> host if origin is hidden

Browse Source 
A minor regression introduced by the latest refactorings. A functional
test is now included. Only affects Firefox users that use non-SSL and
supress their HTTP Referer completely
This commit is contained in:
Martin Zimmermann 2014-03-29 12:58:08 +01:00
parent 87179fe8fa
commit 765a91fefb
3 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
isso/tests/test_cors.py
View File

@ -25,13 +25,12 @@ class CORSTest(unittest.TestCase):
origin=origin([ origin=origin([
"https://example.tld/", "https://example.tld/",
"http://example.tld/", "http://example.tld/",
"http://example.tld",
]), ]),
allowed=("Foo", "Bar"), exposed=("Spam", )) allowed=("Foo", "Bar"), exposed=("Spam", ))
client = Client(app, Response) client = Client(app, Response)
rv = client.get("/", headers={"ORIGIN": "https://example.tld"}) rv = client.get("/", headers={"Origin": "https://example.tld"})
self.assertEqual(rv.headers["Access-Control-Allow-Origin"], "https://example.tld") self.assertEqual(rv.headers["Access-Control-Allow-Origin"], "https://example.tld")
self.assertEqual(rv.headers["Access-Control-Allow-Credentials"], "true") self.assertEqual(rv.headers["Access-Control-Allow-Credentials"], "true")
@ -39,13 +38,13 @@ class CORSTest(unittest.TestCase):
self.assertEqual(rv.headers["Access-Control-Allow-Headers"], "Foo, Bar") self.assertEqual(rv.headers["Access-Control-Allow-Headers"], "Foo, Bar")
self.assertEqual(rv.headers["Access-Control-Expose-Headers"], "Spam") self.assertEqual(rv.headers["Access-Control-Expose-Headers"], "Spam")
a = client.get("/", headers={"ORIGIN": "http://example.tld"}) a = client.get("/", headers={"Origin": "http://example.tld"})
self.assertEqual(a.headers["Access-Control-Allow-Origin"], "http://example.tld") self.assertEqual(a.headers["Access-Control-Allow-Origin"], "http://example.tld")
b = client.get("/", headers={"ORIGIN": "http://example.tld"}) b = client.get("/", headers={"Origin": "http://example.tld"})
self.assertEqual(b.headers["Access-Control-Allow-Origin"], "http://example.tld") self.assertEqual(b.headers["Access-Control-Allow-Origin"], "http://example.tld")
c = client.get("/", headers={"ORIGIN": "http://foo.other"}) c = client.get("/", headers={"Origin": "http://foo.other"})
self.assertEqual(c.headers["Access-Control-Allow-Origin"], "https://example.tld") self.assertEqual(c.headers["Access-Control-Allow-Origin"], "https://example.tld")
@ -55,7 +54,7 @@ class CORSTest(unittest.TestCase):
allowed=("Foo", ), exposed=("Bar", )) allowed=("Foo", ), exposed=("Bar", ))
client = Client(app, Response) client = Client(app, Response)
rv = client.open(method="OPTIONS", path="/", headers={"ORIGIN": "http://example.tld"}) rv = client.open(method="OPTIONS", path="/", headers={"Origin": "http://example.tld"})
self.assertEqual(rv.status_code, 200) self.assertEqual(rv.status_code, 200)
for hdr in ("Origin", "Headers", "Credentials", "Methods"): for hdr in ("Origin", "Headers", "Credentials", "Methods"):

1
isso/tests/test_wsgi.py
View File

@ -46,3 +46,4 @@ class TestWSGIUtilities(unittest.TestCase):
"http://foo.bar") "http://foo.bar")
self.assertEqual(origin({"HTTP_ORIGIN": "http://spam.baz"}), self.assertEqual(origin({"HTTP_ORIGIN": "http://spam.baz"}),
"http://foo.bar") "http://foo.bar")
self.assertEqual(origin({}), "http://foo.bar")

7
isso/wsgi.py
View File

@ -81,10 +81,13 @@ def origin(hosts):
def func(environ): def func(environ):
if not hosts:
return "http://invalid.local"
loc = environ.get("HTTP_ORIGIN", environ.get("HTTP_REFERER", None)) loc = environ.get("HTTP_ORIGIN", environ.get("HTTP_REFERER", None))
if not hosts or not loc: if loc is None:
return "http://invalid.local" return urljoin(*hosts[0])
for split in hosts: for split in hosts:
if urlsplit(loc) == split: if urlsplit(loc) == split: