Fix regression, fixes #34, closes #35

nelmio · Dec 10, 2014 · d482c01 · d482c01
1 parent 679bce5
commit d482c01
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+### 1.3.3 (2014-12-10)
+
+  * Fixed a security regression in 1.3.2 that allowed GET requests to be executed from any domain
+
 ### 1.3.2 (2014-09-18)
 
   * Removed 403 responses on non-OPTIONS requests that have an invalid origin header

diff --git a/EventListener/CorsListener.php b/EventListener/CorsListener.php
@@ -74,6 +74,10 @@ public function onKernelRequest(GetResponseEvent $event)
             return;
         }
 
+        if (!$this->checkOrigin($request, $options)) {
+            return;
+        }
+
         $this->dispatcher->addListener('kernel.response', array($this, 'onKernelResponse'));
         $this->options = $options;
     }

diff --git a/Tests/CorsListenerTest.php b/Tests/CorsListenerTest.php
@@ -132,12 +132,31 @@ public function testSameHostRequest()
         $req->headers->set('Host', 'example.com');
         $req->headers->set('Origin', 'http://example.com');
 
-        $callback = null;
         $dispatcher = m::mock('Symfony\Component\EventDispatcher\EventDispatcherInterface');
 
         $event = new GetResponseEvent(m::mock('Symfony\Component\HttpKernel\HttpKernelInterface'), $req, HttpKernelInterface::MASTER_REQUEST);
         $this->getListener($dispatcher, $options)->onKernelRequest($event);
 
         $this->assertNull($event->getResponse());
     }
+
+    public function testRequestWithOriginButNo()
+    {
+        // Request with same host as origin
+        $options = array(
+            'allow_origin' => array(),
+        );
+
+        $req = Request::create('/foo', 'GET');
+        $req->headers->set('Host', 'example.com');
+        $req->headers->set('Origin', 'http://evil.com');
+
+        $dispatcher = m::mock('Symfony\Component\EventDispatcher\EventDispatcherInterface');
+        $dispatcher->shouldReceive('addListener')->times(0);
+
+        $event = new GetResponseEvent(m::mock('Symfony\Component\HttpKernel\HttpKernelInterface'), $req, HttpKernelInterface::MASTER_REQUEST);
+        $this->getListener($dispatcher, $options)->onKernelRequest($event);
+
+        $this->assertNull($event->getResponse());
+    }
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -74,6 +74,10 @@ public function onKernelRequest(GetResponseEvent $event) @@
                 return;
             }
+            if (!$this->checkOrigin($request, $options)) {
+                return;
+            }
             $this->dispatcher->addListener('kernel.response', array($this, 'onKernelResponse'));
             $this->options = $options;
         }
@@ Expand Down @@