Merge pull request #634 in CORE/base-third from release/10.0 to bugfix/10.0

* commit '206a78c0f62d13f9c394a2bf5029f6cd806018c3': REPORT-34875 跨域CORS漏洞
4 years ago · d6dc991aa6
1 changed files with 6 additions and 9 deletions
--- a/fine-socketio/src/main/java/com/fr/third/socketio/handler/EncoderHandler.java
+++ b/fine-socketio/src/main/java/com/fr/third/socketio/handler/EncoderHandler.java
@ -190,16 +190,13 @@ public class EncoderHandler extends ChannelOutboundHandlerAdapter {
            res.headers().add(HttpHeaderNames.SERVER, version);
        }
-        if (configuration.getOrigin() != null) {
+        if (origin != null) {
-            res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN, configuration.getOrigin());
+            String configOrigin = configuration.getOrigin();
-            res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_CREDENTIALS, Boolean.TRUE);
+            if (configOrigin != null && !"".equals(configOrigin) && !configOrigin.contains(origin)) {
-        } else {
+                throw new IllegalArgumentException();
            if (origin != null) {
                res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
                res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_CREDENTIALS, Boolean.TRUE);
            } else {
                res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN, "*");
            }
            res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
            res.headers().add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_CREDENTIALS, Boolean.TRUE);
        }
    }