fix: allow origins check

Refactor CORS origin validation and normalization to trim leading or trailing whitespace in the cfg.AllowOrigins string [list]. URLs with whitespace inside the URL are invalid, so the normalizeOrigin will return false because url.Parse will fail, and the middleware will panic. fixes #2882
gofiber · ReneWerner87 · Mar 1, 2024 · Feb 26, 2024 · Feb 26, 2024 · Feb 26, 2024
commit a27346b4b141f2c0cf684092f08a98db0e33f134
@@ -113,24 +113,28 @@ func New(config ...Config) fiber.Handler {
  panic("[CORS] Insecure setup, 'AllowCredentials' is set to true, and 'AllowOrigins' is set to a wildcard.")
  }
 
- // Validate and normalize static AllowOrigins if not using AllowOriginsFunc
- if cfg.AllowOriginsFunc == nil && cfg.AllowOrigins != "" && cfg.AllowOrigins != "*" {
- validatedOrigins := []string{}
+ // allowOrigins is a slice of strings that contains the allowed origins
+ // that are defined in the 'AllowOrigins' configuration.
+ var allowOrigins []string
+
+ // Validate and normalize static AllowOrigins
+ if cfg.AllowOrigins != "" && cfg.AllowOrigins != "*" {
  for _, origin := range strings.Split(cfg.AllowOrigins, ",") {
+ origin = strings.TrimSpace(origin)
  isValid, normalizedOrigin := normalizeOrigin(origin)
  if isValid {
- validatedOrigins = append(validatedOrigins, normalizedOrigin)
+ allowOrigins = append(allowOrigins, normalizedOrigin)
  } else {
  log.Warnf("[CORS] Invalid origin format in configuration: %s", origin)
  panic("[CORS] Invalid origin provided in configuration")
  }
  }
- cfg.AllowOrigins = strings.Join(validatedOrigins, ",")
+ } else {
+ // If AllowOrigins is set to a wildcard or not set,
+ // set the allowOrigins to a slice with a single element
+ allowOrigins = []string{cfg.AllowOrigins}
  }
 
- // Convert string to slice
- allowOrigins := strings.Split(strings.ReplaceAll(cfg.AllowOrigins, " ", ""), ",")
-
  // Strip white spaces
  allowMethods := strings.ReplaceAll(cfg.AllowMethods, " ", "")
  allowHeaders := strings.ReplaceAll(cfg.AllowHeaders, " ", "")
@@ -165,10 +169,8 @@ func New(config ...Config) fiber.Handler {
  // Run AllowOriginsFunc if the logic for
  // handling the value in 'AllowOrigins' does
  // not result in allowOrigin being set.
- if allowOrigin == "" && cfg.AllowOriginsFunc != nil {
- if cfg.AllowOriginsFunc(originHeader) {
- allowOrigin = originHeader
- }
+ if allowOrigin == "" && cfg.AllowOriginsFunc != nil && cfg.AllowOriginsFunc(originHeader) {
+ allowOrigin = originHeader
  }
 
  // Simple request