Return 400 on preflight for invalid requests

Addresses part of [#192]
cyu · Nov 20, 2019 · c8f9a61 · c8f9a61
1 parent ed91aef
commit c8f9a61
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
 - Use Rack::Utils.escape_path instead of Rack::Utils.escape
 - Require Rack 2.0 for escape_path method
 - Don't try to clean path if invalid.
+- Return 400 (Bad Request) on preflights with invalid path
 
 ## 1.0.6 - 2019-11-14
 ### Changed

diff --git a/lib/rack/cors.rb b/lib/rack/cors.rb
@@ -76,7 +76,9 @@ def call(env)
             "  Access-Control-Request-Headers: #{env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]}"
             ].join("\n")
         end
-        if env[REQUEST_METHOD] == OPTIONS and env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+
+        if env[REQUEST_METHOD] == OPTIONS && env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+          return [400, {}, []] unless Rack::Utils.valid_path?(path)
           headers = process_preflight(env, path)
           debug(env) do
             "Preflight Headers:\n" +