CORS origin validation incorrectly allows non-matching origins due to preg_match logic flaw #8
Description
Summary
The isOriginAllowed method in the CORS class has a logical flaw in its regex validation that causes it to incorrectly allow origins that don't match the specified pattern.
Current Behavior
The method currently uses:
return preg_match($allowedOrigin, $origin) !== false;This check incorrectly returns true for both actual matches AND non-matches, because preg_match() returns:
1when pattern matches0when pattern doesn't matchfalseon error
The !== false check passes for both 1 and 0, meaning non-matching origins are incorrectly allowed through.
Expected Behavior
Only origins that actually match the regex pattern should be allowed.
Proposed Fix
Change the validation to:
return preg_match($allowedOrigin, $origin) === 1;This ensures only actual pattern matches return true.
Location
File: src/Cors.php
Method: isOriginAllowed
Line: The preg_match validation within the regex pattern check
Impact
This is a security issue as it allows unauthorized origins to bypass CORS restrictions when regex patterns are used for origin validation.
Steps to Reproduce
- Configure CORS with a regex pattern like
/^https:\/\/example\.com$/ - Make a request from an origin that doesn't match (e.g.,
https://malicious.com) - Observe that the request is incorrectly allowed
Environment
- Package version: Latest
- PHP version: Any