From b08de20d006002bb8b5b07bb8b3ab7ce5536b4c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maximilian=20B=C3=B6sing?=
 <2189546+boesing@users.noreply.github.com>
Date: Fri, 8 Dec 2023 18:18:49 +0100
Subject: [PATCH] bugfix: handle unhandled `InvalidOriginValueException`
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

For origins resulting in `InvalidOriginValueException`, we can assume that these are actual CORS requests. If these are made from unsupported origins, we should treat these as unauthorized requests.

Signed-off-by: Maximilian Bösing <2189546+boesing@users.noreply.github.com>
---
 src/Middleware/CorsMiddleware.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/Middleware/CorsMiddleware.php b/src/Middleware/CorsMiddleware.php
index aa4f93e..63fdf0c 100644
--- a/src/Middleware/CorsMiddleware.php
+++ b/src/Middleware/CorsMiddleware.php
@@ -4,6 +4,7 @@
 
 namespace Mezzio\Cors\Middleware;
 
+use Mezzio\Cors\Exception\InvalidOriginValueException;
 use Mezzio\Cors\Middleware\Exception\InvalidConfigurationException;
 use Mezzio\Cors\Service\ConfigurationLocatorInterface;
 use Mezzio\Cors\Service\CorsInterface;
@@ -46,11 +47,18 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
             throw InvalidConfigurationException::fromInvalidPipelineConfiguration();
         }
 
-        if (! $this->cors->isCorsRequest($request)) {
+        try {
+            $isCorsRequest = $this->cors->isCorsRequest($request);
+        } catch (InvalidOriginValueException $exception) {
+            return $this->responseFactory->unauthorized($exception->origin);
+        }
+
+        if (! $isCorsRequest) {
             return $this->vary($handler->handle($request));
         }
 
         $metadata = $this->cors->metadata($request);
+
         if ($this->cors->isPreflightRequest($request)) {
             return $this->preflight($metadata) ?? $handler->handle($request);
         }