Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS security: reflecting any origin header value when configured to * is dangerous #16193

Closed
chenjj opened this issue Apr 29, 2018 · 4 comments · Fixed by #16198
Closed

CORS security: reflecting any origin header value when configured to * is dangerous #16193

chenjj opened this issue Apr 29, 2018 · 4 comments · Fixed by #16198
Labels
severity:security
Milestone
2.0.16

Comments

@chenjj
Copy link
Contributor

chenjj commented Apr 29, 2018

When CORS policy is configured to *, current Yii2 CORS filter will actively convert it to reflect any Origin header value. This kind of behavior is dangerous and has caused many security problems in the past.

Some similar security issues:
cyu/rack-cors#126
https://nodesecurity.io/advisories/148

Some related blog posts:
http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
https://ejj.io/misconfigured-cors/
@samdark
Copy link
Member

samdark commented Apr 30, 2018

What do you propose?

@chenjj
Copy link
Contributor Author

chenjj commented Apr 30, 2018

Hi Alexander, thanks for your reply.

Current CORS standards(both W3C CORS and WHATWG fetch standard) have a clear definition for the wildcard *, which means any domain is allowed. But they also have another important security requirement: Origin: * and Credentials: true cannot be used at the same time, to avoid overly loose permissions. Currently all browsers follow this requirement to disallow this configuration combination.

If a framework actively converts * to reflect any origin header value, it means Origin: * and Credentials: true can be used at the same time. This behavior leads to CORS protocol's security design to be bypassed, causing many misconfiguration security problems.

Therefore, I suggest frameworks to follow the standard definition of *. When a user configures Origin:*, frameworks just directly returns Access-control-Allow-Access: *. When a user configures both Origin:* and Credentials: true , frameworks should warn users that this is a misconfiguration because browsers will not accept this combination.

@samdark
Copy link
Member

samdark commented Apr 30, 2018

Agree. Do you want to make a pull request?

@chenjj chenjj mentioned this issue Apr 30, 2018
Merged
@chenjj
Copy link
Contributor Author

chenjj commented Apr 30, 2018

Thanks. Yes, I'd love to make more contributions for this project.

I made a pull request(#16198 ) just now, and hope it could be helpful for you.

@samdark samdark added this to the 2.0.16 milestone Apr 30, 2018
SilverFire added a commit that referenced this issue May 1, 2018
@SilverFire
Merge pull request #16198 from chenjj/16193-cors-wildcard-origin
3317d26 
Fix #16193 to not reflect origin header for wildcard origins
This was referenced May 17, 2018
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
severity:security
Projects
None yet
Milestone
2.0.16
Development

Successfully merging a pull request may close this issue.

Fix #16193 to not reflect origin header for wildcard origins
2 participants
@samdark @chenjj