From c64c96dac803ebc0dbd50bf8f2f44ed52d5d4933 Mon Sep 17 00:00:00 2001 From: chrislu Date: Mon, 14 Jul 2025 22:23:47 -0700 Subject: [PATCH] fix for tests --- weed/s3api/cors/cors.go | 45 +++++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/weed/s3api/cors/cors.go b/weed/s3api/cors/cors.go index 484e67eb3..f0cb88513 100644 --- a/weed/s3api/cors/cors.go +++ b/weed/s3api/cors/cors.go @@ -194,10 +194,24 @@ func matchesRule(rule *CORSRule, corsReq *CORSRequest) bool { return false } - // For preflight requests, we only check origin matching - // The response building will handle filtering out disallowed methods and headers - // This allows partial CORS responses to be sent + // For preflight requests, we need to validate both the requested method and headers if corsReq.IsPreflightRequest { + // Check if the requested method is allowed + if corsReq.AccessControlRequestMethod != "" { + if !contains(rule.AllowedMethods, corsReq.AccessControlRequestMethod) { + return false + } + } + + // Check if all requested headers are allowed + if len(corsReq.AccessControlRequestHeaders) > 0 { + for _, requestedHeader := range corsReq.AccessControlRequestHeaders { + if !matchesHeader(rule.AllowedHeaders, requestedHeader) { + return false + } + } + } + return true } @@ -316,30 +330,17 @@ func buildResponse(rule *CORSRule, corsReq *CORSRequest) *CORSResponse { AllowOrigin: corsReq.Origin, } - // Set allowed methods - for preflight requests, check if the requested method is allowed - if corsReq.IsPreflightRequest && corsReq.AccessControlRequestMethod != "" { - if contains(rule.AllowedMethods, corsReq.AccessControlRequestMethod) { - response.AllowMethods = corsReq.AccessControlRequestMethod - } else { - // If the requested method is not allowed, return all allowed methods - response.AllowMethods = strings.Join(rule.AllowedMethods, ", ") - } + // Set allowed methods - for preflight requests, return all allowed methods + if corsReq.IsPreflightRequest { + response.AllowMethods = strings.Join(rule.AllowedMethods, ", ") } else { // For non-preflight requests, return all allowed methods response.AllowMethods = strings.Join(rule.AllowedMethods, ", ") } - // Set allowed headers - for preflight requests, return the specific headers that were requested and are allowed - if corsReq.IsPreflightRequest && len(corsReq.AccessControlRequestHeaders) > 0 { - allowedHeaders := make([]string, 0) - for _, requestedHeader := range corsReq.AccessControlRequestHeaders { - if matchesHeader(rule.AllowedHeaders, requestedHeader) { - allowedHeaders = append(allowedHeaders, requestedHeader) - } - } - if len(allowedHeaders) > 0 { - response.AllowHeaders = strings.Join(allowedHeaders, ", ") - } + // Set allowed headers - for preflight requests, return all allowed headers + if corsReq.IsPreflightRequest && len(rule.AllowedHeaders) > 0 { + response.AllowHeaders = strings.Join(rule.AllowedHeaders, ", ") } else if len(rule.AllowedHeaders) > 0 { // For non-preflight requests, return the allowed headers from the rule response.AllowHeaders = strings.Join(rule.AllowedHeaders, ", ")