mirror of
https://github.com/actix/actix-extras.git
synced 2024-11-27 17:22:57 +01:00
Panic on wildcard in Cors builder's allowed_origin() (#114)
* Assert allowed origin in Cors builder * Add panic test for wildcard * Add changelog entry * rustfmt * Apply suggestions from code review Co-authored-by: Rob Ede <robjtede@icloud.com> Co-authored-by: Rob Ede <robjtede@icloud.com>
This commit is contained in:
parent
134e43ab5e
commit
06f17ec223
@ -1,6 +1,9 @@
|
||||
# Changes
|
||||
|
||||
## Unreleased - 2020-xx-xx
|
||||
* Disallow `*` in `Cors::allowed_origin` by panicking. [#114].
|
||||
|
||||
[#114]: https://github.com/actix/actix-extras/pull/114
|
||||
|
||||
|
||||
## 0.4.1 - 2020-10-07
|
||||
|
@ -115,10 +115,18 @@ impl Cors {
|
||||
/// `allowed_origin_fn` function is set, these functions will be used to determinate
|
||||
/// allowed origins.
|
||||
///
|
||||
/// Builder panics if supplied origin is not valid uri.
|
||||
/// # Panics
|
||||
///
|
||||
/// * If supplied origin is not valid uri, or
|
||||
/// * If supplied origin is a wildcard (`*`). [`Cors::send_wildcard`] should be used instead.
|
||||
///
|
||||
/// [Fetch Standard]: https://fetch.spec.whatwg.org/#origin-header
|
||||
pub fn allowed_origin(mut self, origin: &str) -> Cors {
|
||||
assert!(
|
||||
origin != "*",
|
||||
"Wildcard in `allowed_origin` is not allowed. Use `send_wildcard`."
|
||||
);
|
||||
|
||||
if let Some(cors) = cors(&mut self.cors, &self.error) {
|
||||
match TryInto::<Uri>::try_into(origin) {
|
||||
Ok(_) => {
|
||||
|
@ -10,6 +10,17 @@ use regex::bytes::Regex;
|
||||
|
||||
use actix_cors::Cors;
|
||||
|
||||
#[actix_rt::test]
|
||||
#[should_panic]
|
||||
async fn test_wildcard_origin() {
|
||||
Cors::new()
|
||||
.allowed_origin("*")
|
||||
.finish()
|
||||
.new_transform(test::ok_service())
|
||||
.await
|
||||
.unwrap();
|
||||
}
|
||||
|
||||
#[actix_rt::test]
|
||||
async fn test_not_allowed_origin_fn() {
|
||||
let mut cors = Cors::new()
|
||||
|
Loading…
Reference in New Issue
Block a user