From 4653c5d95dffa5a90494a378a9e608bebac8424e Mon Sep 17 00:00:00 2001
From: Kirill <iam@python273.pw>
Date: Sun, 20 Oct 2019 19:45:43 +0300
Subject: [PATCH 1/2] Fix Origin header check bypass

---
 pwnagotchi/ui/web.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pwnagotchi/ui/web.py b/pwnagotchi/ui/web.py
index 9eb5b8f6..ad727f75 100644
--- a/pwnagotchi/ui/web.py
+++ b/pwnagotchi/ui/web.py
@@ -141,7 +141,7 @@ class Handler(BaseHTTPRequestHandler):
             return False
 
         if Handler.AllowedOrigin != '*':
-            if origin != Handler.AllowedOrigin and not origin.starts_with(Handler.AllowedOrigin):
+            if origin != Handler.AllowedOrigin:
                 logging.warning("request with blocked Origin from %s: %s" % (self.address_string(), origin))
                 return False
 

From f762c3ac0d8e3f739ff084b94872d3ba4b693acc Mon Sep 17 00:00:00 2001
From: Kirill <iam@python273.pw>
Date: Sun, 20 Oct 2019 20:03:17 +0300
Subject: [PATCH 2/2] Fix headers.get('origin') == None check

---
 pwnagotchi/ui/web.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pwnagotchi/ui/web.py b/pwnagotchi/ui/web.py
index ad727f75..7a08b8cd 100644
--- a/pwnagotchi/ui/web.py
+++ b/pwnagotchi/ui/web.py
@@ -136,7 +136,7 @@ class Handler(BaseHTTPRequestHandler):
     # check the Origin header vs CORS
     def _is_allowed(self):
         origin = self.headers.get('origin')
-        if origin == "":
+        if not origin:
             logging.warning("request with no Origin header from %s" % self.address_string())
             return False