Request::getOrigin() accepts only URL as defined in RFC 6454

dg · dg · commit ffa2680d5e62 · 2026-05-26T18:53:18.000+02:00
diff --git a/src/Http/Request.php b/src/Http/Request.php
@@ -212,14 +212,11 @@ public function getReferer(): ?UrlImmutable
 	 */
 	public function getOrigin(): ?UrlImmutable
 	{
-		$header = $this->headers['origin'] ?? 'null';
-		try {
-			return $header === 'null'
-				? null
-				: new UrlImmutable($header);
-		} catch (Nette\InvalidArgumentException) {
+		$header = $this->headers['origin'] ?? '';
+		if (!preg_match('~^[a-z][a-z0-9+.-]*://[^/]+$~i', $header)) {
 			return null;
 		}
+		return new UrlImmutable($header);
 	}
 
 
diff --git a/tests/Http/Request.getOrigin.phpt b/tests/Http/Request.getOrigin.phpt
@@ -27,3 +27,11 @@ test('valid Origin header', function () {
 	]);
 	Assert::equal(new UrlImmutable('https://nette.org'), $request->getOrigin());
 });
+
+
+test('invalid Origin header', function () {
+	$request = new Http\Request(new Http\UrlScript, headers: [
+		'Origin' => 'https://nette.org/path',
+	]);
+	Assert::null($request->getOrigin());
+});

Original file line number	Diff line number	Diff line change
`@@ -212,14 +212,11 @@ public function getReferer(): ?UrlImmutable`
`212`	`212`	`*/`
`213`	`213`	`public function getOrigin(): ?UrlImmutable`
`214`	`214`	`{`
`215`		`- $header = $this->headers['origin'] ?? 'null';`
`216`		`- try {`
`217`		`- return $header === 'null'`
`218`		`- ? null`
`219`		`- : new UrlImmutable($header);`
`220`		`- } catch (Nette\InvalidArgumentException) {`
	`215`	`+ $header = $this->headers['origin'] ?? '';`
	`216`	`+ if (!preg_match('~^[a-z][a-z0-9+.-]*://[^/]+$~i', $header)) {`
`221`	`217`	`return null;`
`222`	`218`	`}`
	`219`	`+ return new UrlImmutable($header);`
`223`	`220`	`}`
`224`	`221`
`225`	`222`