Pull request #626: REPORT-34875 跨域CORS漏洞

Merge in CORE/base-third from ~ZHOUPING/base-third:release/10.0 to release/10.0

* commit 'ebad86bac8395eaee80c9d1e15ae9e26c69d562b':
  REPORT-34875 跨域CORS漏洞

fine-socketio/src/main/java/com/fr/third/socketio/handler/EncoderHandler.java

@@ -190,16 +190,13 @@ public class EncoderHandler extends ChannelOutboundHandlerAdapter {
             res.headers().add(HttpHeaderNames.SERVER, version);
         }
 
-        if (configuration.getOrigin() != null) {
+        if (origin != null) {
-            res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN, configuration.getOrigin());
+            String configOrigin = configuration.getOrigin();
-            res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_CREDENTIALS, Boolean.TRUE);
+            if (configOrigin != null && !"".equals(configOrigin) && !configOrigin.contains(origin)) {
-        } else {
+                throw new IllegalArgumentException();
-            if (origin != null) {
-                res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
-                res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_CREDENTIALS, Boolean.TRUE);
-            } else {
-                res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN, "*");
             }
+            res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
+            res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_CREDENTIALS, Boolean.TRUE);
         }
     }