From: Kyle Kelley <kyle.kelley@rackspace.com>
Date: Fri, 24 Jan 2014 19:47:49 +0000 (-0600)
Subject: Add tests, fix allowed_origins, rebase tests
X-Git-Tag: v4.0.0b1~35^2~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=217ba68490e690a7fd6185b9c6d8367713034c3f;p=thirdparty%2Ftornado.git

Add tests, fix allowed_origins, rebase tests
---

diff --git a/tornado/test/websocket_test.py b/tornado/test/websocket_test.py
index e45066536..87dae7697 100644
--- a/tornado/test/websocket_test.py
+++ b/tornado/test/websocket_test.py
@@ -173,6 +173,39 @@ class WebSocketTest(AsyncHTTPTestCase):
         self.assertEqual(code, 1001)
         self.assertEqual(reason, 'goodbye')
 
+    @gen_test
+    def test_check_origin_valid(self):
+        port = self.get_http_port()
+
+        url = 'ws://localhost:%d/echo' % port
+        headers = {'Origin': 'http://localhost:%d' % port}
+
+        ws = yield websocket_connect(HTTPRequest(url, headers=headers),
+            io_loop=self.io_loop)
+        ws.write_message('hello')
+        response = yield ws.read_message()
+        self.assertEqual(response, 'hello')
+        ws.close()
+        yield self.close_future
+
+    @gen_test
+    def test_check_origin_invalid(self):
+        '''Currently a failing test'''
+        port = self.get_http_port()
+
+        url = 'ws://localhost:%d/echo' % port
+        headers = {'Origin': 'http://somewhereelse.com'}
+
+        ws = yield websocket_connect(HTTPRequest(url, headers=headers),
+            io_loop=self.io_loop)
+        ws.write_message('hello')
+
+        response = yield ws.read_message()
+
+        self.assertEqual(response, 'hello')
+        ws.close()
+        yield self.close_future
+
 
 class MaskFunctionMixin(object):
     # Subclasses should define self.mask(mask, data)
diff --git a/tornado/websocket.py b/tornado/websocket.py
index 7fb4d8bc7..22369c87c 100644
--- a/tornado/websocket.py
+++ b/tornado/websocket.py
@@ -270,8 +270,11 @@ class WebSocketHandler(tornado.web.RequestHandler):
         By default, this checks to see that requests that provide both a host
         origin have the same origin and host This is a security protection
         against cross site scripting attacks on browsers,
-        since WebSockets don't have CORS headers."""
-
+        since WebSockets don't have CORS headers.
+        
+        >>> self.check_origins(allowed_origins=['localhost'])
+        
+        """
         # Handle WebSocket Origin naming convention differences
         # The difference between version 8 and 13 is that in 8 the
         # client sends a "Sec-Websocket-Origin" header and in 13 it's
@@ -290,7 +293,7 @@ class WebSocketHandler(tornado.web.RequestHandler):
         parsed_origin = urlparse(origin_header)
         origin = parsed_origin.netloc
 
-        if origin in allowed_origins:
+        if allowed_origins and origin in allowed_origins:
             return True
 
         # Check to see that origin matches host directly, including ports