Fix #16193 to not reflect origin header for wildcard origins

framework/CHANGELOG.md

@@ -4,6 +4,7 @@ Yii Framework 2 Change Log
 2.0.16 under development
 ------------------------
 
+- Bug #16193: Fixed `yii\filters\Cors` to not reflect origin header value when configured to wildcard origins (Jianjun Chen)
 - Bug #16068: Fixed `yii\web\CookieCollection::has` when an expiration param is set to 'until the browser is closed' (OndrejVasicek)
 - Bug #16006: Handle case when `X-Forwarded-Host` header have multiple hosts separated with a comma (pgaultier)
 - Bug #16010: Fixed `yii\filters\ContentNegotiator` behavior when GET parameters contain an array (rugabarbo)

framework/filters/Cors.php

@@ -160,9 +160,22 @@ public function prepareHeaders($requestHeaders)
         $responseHeaders = [];
         // handle Origin
         if (isset($requestHeaders['Origin'], $this->cors['Origin'])) {
-            if (in_array('*', $this->cors['Origin']) || in_array($requestHeaders['Origin'], $this->cors['Origin'])) {
+            if (in_array($requestHeaders['Origin'], $this->cors['Origin'], true)) {
                 $responseHeaders['Access-Control-Allow-Origin'] = $requestHeaders['Origin'];
             }
+
+            if (in_array('*', $this->cors['Origin'], true)) {
+                // Per CORS standard (https://fetch.spec.whatwg.org), wildcard origins shouldn't be used together with credentials
+                if (isset($this->cors['Access-Control-Allow-Credentials']) && $this->cors['Access-Control-Allow-Credentials']) {
+                    if (YII_DEBUG) {
+                        throw new Exception("Allowing credentials for wildcard origins is insecure. Please specify more restrictive origins or set 'credentials' to false in your CORS configuration.");
+                    } else {
+                        Yii::error("Allowing credentials for wildcard origins is insecure. Please specify more restrictive origins or set 'credentials' to false in your CORS configuration.", __METHOD__);
+                    }
+                } else {
+                    $responseHeaders['Access-Control-Allow-Origin'] = '*';
+                }
+            }
         }
 
         $this->prepareAllowHeaders('Headers', $requestHeaders, $responseHeaders);

tests/framework/filters/CorsTest.php

@@ -42,4 +42,26 @@ public function testPreflight()
         $request->headers->remove('Access-Control-Request-Method');
         $this->assertTrue($cors->beforeAction($action));
     }
+
+    public function testWildcardOrigin()
+    {
+        $this->mockWebApplication();
+        $controller = new Controller('id', Yii::$app);
+        $action = new Action('test', $controller);
+        $request = new Request();
+
+        $cors = new Cors([
+            'cors' => [
+                'Origin' => ['*',],
+                'Access-Control-Allow-Credentials' => false,
+            ],
+        ]);
+        $cors->request = $request;
+
+        $_SERVER['REQUEST_METHOD'] = 'GET';
+        $_SERVER['HTTP_ORIGIN'] = 'http://foo.com';
+        $this->assertTrue($cors->beforeAction($action));
+        $this->assertEquals('*', $cors->response->getHeaders()->get('access-control-allow-origin'));
+    }
+
 }