From 9ac96cdd50d6e77141005b24832423b53e9c38dc Mon Sep 17 00:00:00 2001 From: shortcutme Date: Mon, 2 Sep 2019 02:09:53 +0200 Subject: [PATCH] Don't leak allowed origins in error message --- src/Ui/UiRequest.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py index 2a09bd3e..0c3ea447 100644 --- a/src/Ui/UiRequest.py +++ b/src/Ui/UiRequest.py @@ -735,7 +735,7 @@ class UiRequest(object): origin_host = origin.split("://", 1)[-1] if origin_host != host and origin_host not in self.server.allowed_ws_origins: ws.send(json.dumps({"error": "Invalid origin: %s" % origin})) - return self.error403("Invalid origin: %s %s" % (origin, self.server.allowed_ws_origins)) + return self.error403("Invalid origin: %s" % origin) # Find site by wrapper_key wrapper_key = self.get["wrapper_key"]