From 44759fd66c30ca30d5cc30285c017258c19d7cad Mon Sep 17 00:00:00 2001
From: silverwind <me@silverwind.io>
Date: Wed, 16 Jan 2019 05:16:45 +0100
Subject: [PATCH] Add proper CORS preflight origin validation (#5740)

---
 routers/repo/http.go | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/routers/repo/http.go b/routers/repo/http.go
index 1728a75fc..01c84b370 100644
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@@ -28,13 +28,25 @@ import (
 // HTTP implmentation git smart HTTP protocol
 func HTTP(ctx *context.Context) {
 	if len(setting.Repository.AccessControlAllowOrigin) > 0 {
+		allowedOrigin := setting.Repository.AccessControlAllowOrigin
 		// Set CORS headers for browser-based git clients
-		ctx.Resp.Header().Set("Access-Control-Allow-Origin", setting.Repository.AccessControlAllowOrigin)
+		ctx.Resp.Header().Set("Access-Control-Allow-Origin", allowedOrigin)
 		ctx.Resp.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, User-Agent")
 
 		// Handle preflight OPTIONS request
 		if ctx.Req.Method == "OPTIONS" {
-			ctx.Status(http.StatusOK)
+			if allowedOrigin == "*" {
+				ctx.Status(http.StatusOK)
+			} else if allowedOrigin == "null" {
+				ctx.Status(http.StatusForbidden)
+			} else {
+				origin := ctx.Req.Header.Get("Origin")
+				if len(origin) > 0 && origin == allowedOrigin {
+					ctx.Status(http.StatusOK)
+				} else {
+					ctx.Status(http.StatusForbidden)
+				}
+			}
 			return
 		}
 	}