From f292efff46ae17e9d104f865a60a39a2ae9402f1 Mon Sep 17 00:00:00 2001
From: Ernest Micklei <ernest.micklei@gmail.com>
Date: Tue, 29 Mar 2022 21:28:05 +0200
Subject: [PATCH] use exact matching of allowed domain entries, issue #489

---
 cors_filter.go | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/cors_filter.go b/cors_filter.go
index d6e7c857..96e3d463 100644
--- a/cors_filter.go
+++ b/cors_filter.go
@@ -5,6 +5,7 @@ package restful
 // that can be found in the LICENSE file.
 
 import (
+	"fmt"
 	"regexp"
 	"strconv"
 	"strings"
@@ -191,11 +192,15 @@ func (c CrossOriginResourceSharing) isValidAccessControlRequestHeader(header str
 	return false
 }
 
-// Take a list of strings and compile them into a list of regular expressions.
-func compileRegexps(regexpStrings []string) ([]*regexp.Regexp, error) {
+// Take a list of allowed domains as strings and compile them into a list of regular expressions.
+func compileRegexps(allowedDomains []string) ([]*regexp.Regexp, error) {
 	regexps := []*regexp.Regexp{}
-	for _, regexpStr := range regexpStrings {
-		r, err := regexp.Compile(regexpStr)
+	for _, each := range allowedDomains {
+		// make sure the expression represents an exact match
+		if !strings.HasPrefix(each, "^") {
+			each = fmt.Sprintf("^%s$", each)
+		}
+		r, err := regexp.Compile(each)
 		if err != nil {
 			return regexps, err
 		}