unhandled invalid HTTP_ORIGIN

Question

unhandled invalid HTTP_ORIGIN

minusf opened this issue 2 years ago · comments

minusf commented 2 years ago

Understanding CORS

I have read the resources.

Python Version

3.9.7

Django Version

3.2.8

Package Version

3.10.0

Description

it seems that an unparsable, invalid HTTP_ORIGIN header is a trivial way to exception/mail spam a django instance:

Internal Server Error: /

ValueError at /
Invalid IPv6 URL
...
HTTP_ORIGIN = 'https://example.com].evil.com'
HTTP_REFERER = 'https://example.com].evil.com'

https://github.com/adamchainz/django-cors-headers/blob/main/src/corsheaders/middleware.py#L135

this was generated by a security scanner btw.

i think in this case HTTP_ORIGIN should be simply ignored and the library should behave as if there was no header at all.

Adam Johnson · Answer 1 · Sun Dec 05 2021 20:36:38 GMT+0800 (China Standard Time)

Thank you for the report. I've fixed this in #715 and released the fix in version 3.10.1. If you could check this with your security scanner again, that would be great.

minusf · Answer 2 · Tue Dec 07 2021 23:35:10 GMT+0800 (China Standard Time)

thank you for looking into this. the security scanner is not managed by us, so i can't request another scan, but fuzzing ORIGIN: is more than enough and it fixes it.