unhandled invalid HTTP_ORIGIN
minusf opened this issue · comments
Understanding CORS
- I have read the resources.
Python Version
3.9.7
Django Version
3.2.8
Package Version
3.10.0
Description
it seems that an unparsable, invalid HTTP_ORIGIN
header is a trivial way to exception/mail spam a django instance:
Internal Server Error: /
ValueError at /
Invalid IPv6 URL
...
HTTP_ORIGIN = 'https://example.com].evil.com'
HTTP_REFERER = 'https://example.com].evil.com'
https://github.com/adamchainz/django-cors-headers/blob/main/src/corsheaders/middleware.py#L135
this was generated by a security scanner btw.
i think in this case HTTP_ORIGIN
should be simply ignored and the library should behave as if there was no header at all.
Thank you for the report. I've fixed this in #715 and released the fix in version 3.10.1. If you could check this with your security scanner again, that would be great.
thank you for looking into this. the security scanner is not managed by us, so i can't request another scan, but fuzzing ORIGIN:
is more than enough and it fixes it.