Merge pull request #635 in CORE/base-third from bugfix/10.0 to feature/10.0

* commit 'd6dc991aa6d495d59cb4c331286fc1b8e4490f5f': REPORT-34875 跨域CORS漏洞
4 years ago · 71a47915f9
1 changed files with 6 additions and 9 deletions
--- a/fine-socketio/src/main/java/com/fr/third/socketio/handler/EncoderHandler.java
+++ b/fine-socketio/src/main/java/com/fr/third/socketio/handler/EncoderHandler.java
@ -190,16 +190,13 @@ public class EncoderHandler extends ChannelOutboundHandlerAdapter {
            res.headers().add(HttpHeaderNames.SERVER, version);
        }

-        if (configuration.getOrigin() != null) {
-            res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN, configuration.getOrigin());
-            res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_CREDENTIALS, Boolean.TRUE);
-        } else {
-            if (origin != null) {
-                res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
-                res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_CREDENTIALS, Boolean.TRUE);
-            } else {
-                res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN, "*");
+        if (origin != null) {
+            String configOrigin = configuration.getOrigin();
+            if (configOrigin != null && !"".equals(configOrigin) && !configOrigin.contains(origin)) {
+                throw new IllegalArgumentException();
            }
+            res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
+            res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_CREDENTIALS, Boolean.TRUE);
        }
    }