dpgoetz · November 5, 2012 17:52
diff --git a/gistfile1.diff b/gistfile1.diff
 diff --git a/swift/proxy/controllers/base.py b/swift/proxy/controllers/base.py
 index 582d007..4234493 100644
 --- a/swift/proxy/controllers/base.py
 +++ b/swift/proxy/controllers/base.py
 @@ -39,7 +39,7 @@ from swift.common.exceptions import ChunkReadTimeout, ConnectionTimeout
 from swift.common.http import is_informational, is_success, is_redirection, \
     is_server_error, HTTP_OK, HTTP_PARTIAL_CONTENT, HTTP_MULTIPLE_CHOICES, \
     HTTP_BAD_REQUEST, HTTP_NOT_FOUND, HTTP_SERVICE_UNAVAILABLE, \
 -    HTTP_INSUFFICIENT_STORAGE
 +    HTTP_INSUFFICIENT_STORAGE, HTTP_UNAUTHORIZED
 from swift.common.swob import Request, Response, status_map
 
 
 @@ -710,8 +710,6 @@ class Controller(object):
             # NOT a CORS request
             return resp
 
 -        # CORS preflight request
 -        CORS_failure_status_code = 401  # the CORS draft spec says, "not 200"
         try:
             container_info = \
                 self.container_info(self.account_name, self.container_name)
 @@ -723,17 +721,12 @@ class Controller(object):
             allowed_origins.update(cors['allow_origin'].split(' '))
         if self.app.cors_allow_origin:
             allowed_origins.update(self.app.cors_allow_origin)
 -        if req_origin_value not in allowed_origins and \
 -                '*' not in allowed_origins:
 -            if allowed_origins or 'allow_origin' in cors:
 -                resp.status = CORS_failure_status_code
 -                return resp  # stop CORS processing, just return
 -            else:  # we know nothing about CORS for this resource
 -                return resp
 -        if req.headers.get('Access-Control-Request-Method') not in \
 -                self.allowed_methods:
 -            resp.status = CORS_failure_status_code
 -            return resp  # CORS preflight request that isn't supported
 +        if (req_origin_value not in allowed_origins and
 +                '*' not in allowed_origins) or (
 +                req.headers.get('Access-Control-Request-Method') not in
 +                self.allowed_methods):
 +            resp.status = HTTP_UNAUTHORIZED
 +            return resp  # CORS preflight request that isn't valid
         headers['access-control-allow-origin'] = req_origin_value
         if cors.get('max_age', None) is not None:
             headers['access-control-max-age'] = '%d' % cors.get('max_age')
	diff --git a/swift/proxy/controllers/base.py b/swift/proxy/controllers/base.py
	index 582d007..4234493 100644
	--- a/swift/proxy/controllers/base.py
	+++ b/swift/proxy/controllers/base.py
	@@ -39,7 +39,7 @@ from swift.common.exceptions import ChunkReadTimeout, ConnectionTimeout
	from swift.common.http import is_informational, is_success, is_redirection, \
	is_server_error, HTTP_OK, HTTP_PARTIAL_CONTENT, HTTP_MULTIPLE_CHOICES, \
	HTTP_BAD_REQUEST, HTTP_NOT_FOUND, HTTP_SERVICE_UNAVAILABLE, \
	- HTTP_INSUFFICIENT_STORAGE
	+ HTTP_INSUFFICIENT_STORAGE, HTTP_UNAUTHORIZED
	from swift.common.swob import Request, Response, status_map


	@@ -710,8 +710,6 @@ class Controller(object):
	# NOT a CORS request
	return resp

	- # CORS preflight request
	- CORS_failure_status_code = 401 # the CORS draft spec says, "not 200"
	try:
	container_info = \
	self.container_info(self.account_name, self.container_name)
	@@ -723,17 +721,12 @@ class Controller(object):
	allowed_origins.update(cors['allow_origin'].split(' '))
	if self.app.cors_allow_origin:
	allowed_origins.update(self.app.cors_allow_origin)
	- if req_origin_value not in allowed_origins and \
	- '*' not in allowed_origins:
	- if allowed_origins or 'allow_origin' in cors:
	- resp.status = CORS_failure_status_code
	- return resp # stop CORS processing, just return
	- else: # we know nothing about CORS for this resource
	- return resp
	- if req.headers.get('Access-Control-Request-Method') not in \
	- self.allowed_methods:
	- resp.status = CORS_failure_status_code
	- return resp # CORS preflight request that isn't supported
	+ if (req_origin_value not in allowed_origins and
	+ '*' not in allowed_origins) or (
	+ req.headers.get('Access-Control-Request-Method') not in
	+ self.allowed_methods):
	+ resp.status = HTTP_UNAUTHORIZED
	+ return resp # CORS preflight request that isn't valid
	headers['access-control-allow-origin'] = req_origin_value
	if cors.get('max_age', None) is not None:
	headers['access-control-max-age'] = '%d' % cors.get('max_age')