fix panic in cors if request does not contain origin header and send_wildcard is not set

2024-07-04 04:55:48 +00:00 · 2018-03-10 08:31:20 -08:00 · 2018-03-10 08:31:20 -08:00 · 4263574a58
parent 84ef5ee410
commit 4263574a58
2 changed files with 22 additions and 2 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -4,6 +4,8 @@

 * Fix client cookie handling

+* Fix CORS middleware #117
+
 * Optimize websockets stream support


--- a/src/middleware/cors.rs
+++ b/src/middleware/cors.rs
@ -349,8 +349,7 @@ impl<S> Middleware<S> for Cors {
                if self.send_wildcard {
                    resp.headers_mut().insert(
                        header::ACCESS_CONTROL_ALLOW_ORIGIN, HeaderValue::from_static("*"));
-                } else {
-                    let origin = req.headers().get(header::ORIGIN).unwrap();
+                } else if let Some(origin) = req.headers().get(header::ORIGIN) {
                    resp.headers_mut().insert(
                        header::ACCESS_CONTROL_ALLOW_ORIGIN, origin.clone());
                }
@ -807,6 +806,25 @@ mod tests {
        assert!(cors.start(&mut req).unwrap().is_done());
    }

+    #[test]
+    fn test_no_origin_response() {
+        let cors = Cors::build().finish().unwrap();
+
+        let mut req = TestRequest::default().method(Method::GET).finish();
+        let resp: HttpResponse = HttpOk.into();
+        let resp = cors.response(&mut req, resp).unwrap().response();
+        assert!(resp.headers().get(header::ACCESS_CONTROL_ALLOW_ORIGIN).is_none());
+
+        let mut req = TestRequest::with_header(
+            "Origin", "https://www.example.com")
+            .method(Method::OPTIONS)
+            .finish();
+        let resp = cors.response(&mut req, resp).unwrap().response();
+        assert_eq!(
+            &b"https://www.example.com"[..],
+            resp.headers().get(header::ACCESS_CONTROL_ALLOW_ORIGIN).unwrap().as_bytes());
+    }
+
    #[test]
    fn test_response() {
        let cors = Cors::build()