From c8f9a612503b59f2ad7d798df333430d33546a85 Mon Sep 17 00:00:00 2001
From: Calvin Yu <me@sourcebender.com>
Date: Tue, 19 Nov 2019 23:36:48 -0500
Subject: [PATCH] Return 400 on preflight for invalid requests

Addresses part of [#192]
---
 CHANGELOG.md     | 1 +
 lib/rack/cors.rb | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index acd30d3..12a11f5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
 - Use Rack::Utils.escape_path instead of Rack::Utils.escape
 - Require Rack 2.0 for escape_path method
 - Don't try to clean path if invalid.
+- Return 400 (Bad Request) on preflights with invalid path
 
 ## 1.0.6 - 2019-11-14
 ### Changed
diff --git a/lib/rack/cors.rb b/lib/rack/cors.rb
index 3cc1fc3..bafde6c 100644
--- a/lib/rack/cors.rb
+++ b/lib/rack/cors.rb
@@ -76,7 +76,9 @@ def call(env)
             "  Access-Control-Request-Headers: #{env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS]}"
             ].join("\n")
         end
-        if env[REQUEST_METHOD] == OPTIONS and env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+
+        if env[REQUEST_METHOD] == OPTIONS && env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]
+          return [400, {}, []] unless Rack::Utils.valid_path?(path)
           headers = process_preflight(env, path)
           debug(env) do
             "Preflight Headers:\n" +