Fix #16193 to not reflect origin header for wildcard origins

6 years ago · 2b6d181878
3 changed files with 37 additions and 2 deletions
--- a/framework/CHANGELOG.md
+++ b/framework/CHANGELOG.md
@ -3,7 +3,7 @@ Yii Framework 2 Change Log

 2.0.16 under development
 ------------------------
-
+- Bug #16193: Fixed `yii\filters\Cors` to not reflect origin header value when configured to wildcard origins. (Jianjun Chen)
 - Bug #16068: Fixed `yii\web\CookieCollection::has` when an expiration param is set to 'until the browser is closed' (OndrejVasicek)
 - Bug #16006: Handle case when `X-Forwarded-Host` header have multiple hosts separated with a comma (pgaultier)
 - Bug #16010: Fixed `yii\filters\ContentNegotiator` behavior when GET parameters contain an array (rugabarbo)
--- a/framework/filters/Cors.php
+++ b/framework/filters/Cors.php
@ -160,9 +160,22 @@ class Cors extends ActionFilter
        $responseHeaders = [];
        // handle Origin
        if (isset($requestHeaders['Origin'], $this->cors['Origin'])) {
-            if (in_array('*', $this->cors['Origin']) || in_array($requestHeaders['Origin'], $this->cors['Origin'])) {
+            if (in_array($requestHeaders['Origin'], $this->cors['Origin'])) {
                $responseHeaders['Access-Control-Allow-Origin'] = $requestHeaders['Origin'];
            }
+
+            if (in_array('*', $this->cors['Origin'])) {
+                // Per CORS standard(https://fetch.spec.whatwg.org), wildcard origins shouldn't be used together with credentails.
+                if (isset($this->cors['Access-Control-Allow-Credentials']) && $this->cors['Access-Control-Allow-Credentials']) {
+                    if (YII_DEBUG) {
+                        throw new Exception("Allowing credentials for wildcard origins is insecure. Please specify more restrictive origins or set 'credentials' to false in your CORS configuration.");
+                    } else {
+                        Yii::error("Allowing credentials for wildcard origins is insecure. Please specify more restrictive origins or set 'credentials' to false in your CORS configuration.", __METHOD__);
+                    }
+                } else {
+                    $responseHeaders['Access-Control-Allow-Origin'] = "*";
+                }
+            }
        }

        $this->prepareAllowHeaders('Headers', $requestHeaders, $responseHeaders);
--- a/tests/framework/filters/CorsTest.php
+++ b/tests/framework/filters/CorsTest.php
@ -42,4 +42,26 @@ class CorsTest extends TestCase
        $request->headers->remove('Access-Control-Request-Method');
        $this->assertTrue($cors->beforeAction($action));
    }
+
+    public function testWildcardOrigin()
+    {
+        $this->mockWebApplication();
+        $controller = new Controller('id', Yii::$app);
+        $action = new Action('test', $controller);
+        $request = new Request();
+
+        $cors = new Cors([
+            'cors' => [
+                'Origin' => ['*',],
+                'Access-Control-Allow-Credentials' => false,
+            ],
+        ]);
+        $cors->request = $request;
+
+        $_SERVER['REQUEST_METHOD'] = 'GET';
+        $_SERVER['HTTP_ORIGIN'] = 'http://foo.com';
+        $this->assertTrue($cors->beforeAction($action));
+        $this->assertEquals('*', $cors->response->getHeaders()->get('access-control-allow-origin'));
+    }
+
 }