diff --git a/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsPolicyExtensions.cs b/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsPolicyExtensions.cs index deae787231..312f772994 100644 --- a/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsPolicyExtensions.cs +++ b/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsPolicyExtensions.cs @@ -16,11 +16,16 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure { return true; } - var originUri = new Uri(origin, UriKind.Absolute); - return policy.Origins - .Where(o => o.Contains($"://{_WildcardSubdomain}")) - .Select(CreateDomainUri) - .Any(domain => UriHelpers.IsSubdomainOf(originUri, domain)); + + if (Uri.TryCreate(origin, UriKind.Absolute, out var originUri)) + { + return policy.Origins + .Where(o => o.Contains($"://{_WildcardSubdomain}")) + .Select(CreateDomainUri) + .Any(domain => UriHelpers.IsSubdomainOf(originUri, domain)); + } + + return false; } private static Uri CreateDomainUri(string origin) diff --git a/test/Microsoft.AspNetCore.Cors.Test/CorsPolicyExtensionsTests.cs b/test/Microsoft.AspNetCore.Cors.Test/CorsPolicyExtensionsTests.cs index 2c323162ca..74dd67db0b 100644 --- a/test/Microsoft.AspNetCore.Cors.Test/CorsPolicyExtensionsTests.cs +++ b/test/Microsoft.AspNetCore.Cors.Test/CorsPolicyExtensionsTests.cs @@ -23,6 +23,26 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure Assert.True(actual); } + [Theory] + [InlineData(null)] + [InlineData("null")] + [InlineData("http://")] + [InlineData("http://*")] + [InlineData("http://.domain")] + [InlineData("http://.domain/hello")] + public void IsOriginAnAllowedSubdomain_ReturnsFalseIfOriginIsMalformedUri(string malformedOrigin) + { + // Arrange + var policy = new CorsPolicy(); + policy.Origins.Add("http://*.domain"); + + // Act + var actual = policy.IsOriginAnAllowedSubdomain(malformedOrigin); + + // Assert + Assert.False(actual); + } + [Theory] [InlineData("http://sub.domain", "http://*.domain")] [InlineData("http://sub.sub.domain", "http://*.domain")]