[httpd] Add requirement for Access-Control-Request-Method for preflight CORS

2025-01-14 08:15:02 -05:00 · 2016-10-19 17:29:22 +02:00 · 2016-10-19 17:29:22 +02:00 · 54a09fce63
commit 54a09fce63
parent 57945a592c
1 changed files with 4 additions and 1 deletions
--- a/src/httpd.c
+++ b/src/httpd.c
@ -1053,7 +1053,10 @@ httpd_gen_cb(struct evhttp_request *req, void *arg)

  // Did we get a CORS preflight request?
  input_headers = evhttp_request_get_input_headers(req);
-  if (allow_origin && (evhttp_request_get_command(req) == EVHTTP_REQ_OPTIONS) && evhttp_find_header(input_headers, "Origin"))
+  if ( input_headers && allow_origin &&
+       (evhttp_request_get_command(req) == EVHTTP_REQ_OPTIONS) &&
+       evhttp_find_header(input_headers, "Origin") &&
+       evhttp_find_header(input_headers, "Access-Control-Request-Method") )
    {
      output_headers = evhttp_request_get_output_headers(req);