Prevent crashing on an invalid Origin header.

Fixes #701.
adamchainz · Dec 5, 2021 · 01b7c15 · 01b7c15
1 parent e96fa85
commit 01b7c15
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 2 deletions.
diff --git a/HISTORY.rst b/HISTORY.rst
@@ -2,6 +2,10 @@
 History
 =======
 
+* Prevent a crash when an invalid ``Origin`` header is sent.
+
+  Thanks to minusf for the report in `Issue #701 <https://github.com/adamchainz/django-cors-headers/issues/701>`__.
+
 3.10.0 (2021-10-05)
 -------------------
 

diff --git a/src/corsheaders/middleware.py b/src/corsheaders/middleware.py
@@ -131,8 +131,10 @@ def process_response(
         if not origin:
             return response
 
-        # todo: check hostname from db instead
-        url = urlparse(origin)
+        try:
+            url = urlparse(origin)
+        except ValueError:
+            return response
 
         if conf.CORS_ALLOW_CREDENTIALS:
             response[ACCESS_CONTROL_ALLOW_CREDENTIALS] = "true"

diff --git a/tests/test_middleware.py b/tests/test_middleware.py
@@ -32,6 +32,10 @@ def test_get_origin_vary_by_default(self):
         resp = self.client.get("/")
         assert resp["Vary"] == "Origin"
 
+    def test_get_invalid_origin(self):
+        resp = self.client.get("/", HTTP_ORIGIN="http://example.com]")
+        assert ACCESS_CONTROL_ALLOW_ORIGIN not in resp
+
     @override_settings(CORS_ALLOWED_ORIGINS=["http://example.com"])
     def test_get_not_in_allowed_origins(self):
         resp = self.client.get("/", HTTP_ORIGIN="http://example.org")
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,6 +2,10 @@ @@
     History
     =======
+    * Prevent a crash when an invalid ``Origin`` header is sent.
+      Thanks to minusf for the report in `Issue #701 <https://github.com/adamchainz/django-cors-headers/issues/701>`__.
 .10.0 (2021-10-05)
     -------------------
@@ Expand Down @@