[BUG][UI] Web UI crash if single char '*' is set in the 'Access-Control-Allow-Headers value'

[thelittlefireman]

What happened?

Hi,
Access Control Allow headers should allow the value '*' for wildacard https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Headers but the regex in the CORS plugin does not allow that

bunkerweb/src/common/core/cors/plugin.json

Line 42 in ca282af

"regex": "^(\\*|(?![, ])(,? ?([\\w\\-]+))*)?$",

Moreover on the UI if you set a '*' in the 'Access-Control-Allow-Headers value' my chrome tab is crashing.

How to reproduce?

start a simple instance with bunkerweb ui and try to add a '*' in the 'Access-Control-Allow-Headers value' field, the tab crash and/or it's rejected by the regex.

Configuration file(s) (yaml or .env)

Relevant log output

BunkerWeb version

1.6.4

What integration are you using?

Docker

Linux distribution (if applicable)

Synology

Removed private data

• I have removed all private data from the configuration file and the logs

Code of Conduct

• I agree to follow this project's Code of Conduct

[TheophileDiot]

Hi @thelittlefireman, it accepts the * sign: https://regex101.com/r/hJufOK/1

[TheophileDiot]

About the web UI crash, thank you for sharing this bug, I'll have a look and let you know

[TheophileDiot]

Hi @thelittlefireman, getting back on this. I couldn't reproduce the bug in the 1.6.5 version, can you confirm that it's fixed for you as well ? Thank you!

[thelittlefireman]

hi, @TheophileDiot , i've try again and it still there. I use chrome browser, and i seems thats the entire tab is crashing.