From 39d874374dd60c6452b7edee738d7ddaa2537bc2 Mon Sep 17 00:00:00 2001 From: mutantmonkey Date: Sun, 11 Oct 2015 20:06:14 -0700 Subject: [PATCH] trim trailing / for origin checking --- csrf.go | 2 +- server_test.go | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/csrf.go b/csrf.go index a743a04..5f8ca48 100644 --- a/csrf.go +++ b/csrf.go @@ -16,7 +16,7 @@ func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []stri return false } - if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, prefix) { + if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, strings.TrimSuffix(prefix, "/")) { return false } diff --git a/server_test.go b/server_test.go index ebacfc3..e653dec 100644 --- a/server_test.go +++ b/server_test.go @@ -248,7 +248,7 @@ func TestPostCodeUploadBadOrigin(t *testing.T) { req.PostForm = form req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Referer", Config.siteURL) - req.Header.Set("Origin", "http://example.com/") + req.Header.Set("Origin", "http://example.com") mux.ServeHTTP(w, req) @@ -274,6 +274,7 @@ func TestPostCodeExpiryJSONUpload(t *testing.T) { req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Accept", "application/json") req.Header.Set("Referer", Config.siteURL) + req.Header.Set("Origin", strings.TrimSuffix(Config.siteURL, "/")) mux.ServeHTTP(w, req)