Enforce 'Origin' validation

README.md

@@ -135,6 +135,7 @@ This next release focus on two-factor-authentication as a measure to increase se
 * Limit incorrect attempts to change the user's password to prevent brute force attacks #225 [CVE-2022-3273](https://nvd.nist.gov/vuln/detail/CVE-2022-3273)
 * Enforce password policy new password cannot be set as new password [CVE-2022-3376](https://nvd.nist.gov/vuln/detail/CVE-2022-3376)
 * Enforce better rate limit on login, mfa, password change and API [CVE-2022-3439](https://nvd.nist.gov/vuln/detail/CVE-2022-3439) [CVE-2022-3456](https://nvd.nist.gov/vuln/detail/CVE-2022-3456)
+* Enforce 'Origin' validation [CVE-2022-3457](https://nvd.nist.gov/vuln/detail/CVE-2022-3457)
 
 Breaking changes:
 

rdiffweb/controller/tests/test_secure_headers.py

@@ -93,6 +93,15 @@ def test_post_with_wrong_origin(self):
         self.assertStatus(403)
         self.assertInBody('Unexpected Origin header')
 
+    def test_post_with_prefixed_origin(self):
+        # Given a POST request made to rdiffweb
+        # When the request is made using a different origin
+        base = 'http://%s:%s' % (self.HOST + 'anything.com', self.PORT)
+        self.getPage('/dashboard/', headers=[('Origin', base)], method='POST')
+        # Then the request is accepted with 200 OK
+        self.assertStatus(403)
+        self.assertInBody('Unexpected Origin header')
+
     def test_post_with_valid_origin(self):
         # Given a POST request made to rdiffweb
         # When the request is made using a different origin

rdiffweb/tools/secure_headers.py

@@ -59,7 +59,7 @@ def set_headers(
     # Check if Origin matches our target.
     if request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
         origin = request.headers.get('Origin', None)
-        if origin and not origin.startswith(request.base):
+        if origin and origin != request.base:
             raise cherrypy.HTTPError(403, 'Unexpected Origin header')
 
     # Check if https is enabled