CORS origin validation incorrectly allows non-matching origins due to preg_match logic flaw

[aharon-hibob]

Summary

The isOriginAllowed method in the CORS class has a logical flaw in its regex validation that causes it to incorrectly allow origins that don't match the specified pattern.

Current Behavior

The method currently uses:

return preg_match($allowedOrigin, $origin) !== false;

This check incorrectly returns true for both actual matches AND non-matches, because preg_match() returns:

• 1 when pattern matches
• 0 when pattern doesn't match
• false on error

The !== false check passes for both 1 and 0, meaning non-matching origins are incorrectly allowed through.

Expected Behavior

Only origins that actually match the regex pattern should be allowed.

Proposed Fix

Change the validation to:

return preg_match($allowedOrigin, $origin) === 1;

This ensures only actual pattern matches return true.

Location

File: src/Cors.php
Method: isOriginAllowed
Line: The preg_match validation within the regex pattern check

Impact

This is a security issue as it allows unauthorized origins to bypass CORS restrictions when regex patterns are used for origin validation.

Steps to Reproduce

1. Configure CORS with a regex pattern like /^https:\/\/example\.com$/
2. Make a request from an origin that doesn't match (e.g., https://malicious.com)
3. Observe that the request is incorrectly allowed

Environment

• Package version: Latest
• PHP version: Any