Wildcard origin pattern is too generic - matches incorrectly on more complicated patterns

[sfilipov]

Inside get_cors_origins the variable wildcard is defined as r'.*' in origins. This is too generic because it matches for example in patterns like r'^https://app\.(.*?\.)example\.com$ r'.*' is present in that pattern.

This can cause issues later on with if wildcard and options.get('send_wildcard'): which considers wildcard True, thus origins must be .* - but it is not. It is a more complicated pattern that happens to contain .* inside of it.

I think the correct way to do it would be wildcard = r'.*' == origins rather than wildcard = r'.*' in origins but I am not completely familiar with the code and I might be wrong.

I hope I'm not wasting your time by not completely understanding the code.

[sfilipov]

Sorry for bothering you - I figured out that by the time origins is passed to get_cors_origins, you've made sure it is iterable by passing through ensure_iterable.

Which means r'.*' in origins is looking for the string inside a list of strings, rather than looking for a substring.

Closing as this is not a bug!

[corydolphin]

@sfilipov thanks for taking the time to open (and close!) the issue. Glad everything is working as expected.