Fix incorrect substring matches when strings are used as origins or h…

…eaders (#165) * Match exactly Access-Control-Allow-Headers
corydolphin · Jul 2, 2016 · 9cd3f29 · 9cd3f29
1 parent fbcf147
commit 9cd3f29
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 9 deletions.
diff --git a/flask_cors/core.py b/flask_cors/core.py
@@ -260,15 +260,14 @@ def try_match_any(inst, patterns):
     return any(try_match(inst, pattern) for pattern in patterns)
 
 
-def try_match(request_origin, pattern):
+def try_match(request_origin, maybe_regex):
     """Safely attempts to match a pattern or string to a request origin."""
-    try:
-        if isinstance(pattern, RegexObject):
-            return re.match(pattern, request_origin)
-        else:
-            return re.match(pattern, request_origin, flags=re.IGNORECASE)
-    except:
-        return request_origin == pattern
+    if isinstance(maybe_regex, RegexObject):
+        return re.match(maybe_regex, request_origin)
+    elif probably_regex(maybe_regex):
+        return re.match(maybe_regex, request_origin, flags=re.IGNORECASE)
+    else:
+        return request_origin == maybe_regex
 
 
 def get_cors_options(appInstance, *dicts):

diff --git a/tests/core/helper_tests.py b/tests/core/helper_tests.py
@@ -21,7 +21,8 @@
 
 class InternalsTestCase(unittest.TestCase):
     def test_try_match(self):
-        self.assertTrue(try_match('www.com/foo+', 'www.com/foo'))
+        self.assertFalse(try_match('www.com/foo', 'www.com/fo'))
+        self.assertTrue(try_match('www.com/foo', 'www.com/fo*'))
 
     def test_flexible_str_str(self):
         self.assertEquals(flexible_str('Bar, Foo, Qux'), 'Bar, Foo, Qux')