GitHub-Spring
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Do not tokenize Forward header value 

This commit remove the tokenization previously used in
UriComponentsBuilder#adaptFromForwardedHeaders, in order to support
Forwarded headers that have multiple, comma-separated 'for' elements.

Closes gh-25737
pull/25798/head
Arjen Poutsma 6 years ago
parent
ed3b7cd10f
commit
07d2c08f48
2 changed files with 22 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java
  2. 20
      spring-web/src/test/java/org/springframework/web/util/UriComponentsBuilderTests.java

5
spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java
Unescape View File

@ -754,8 +754,7 @@ public class UriComponentsBuilder implements UriBuilder, Cloneable {
try { try {
String forwardedHeader = headers.getFirst("Forwarded"); String forwardedHeader = headers.getFirst("Forwarded");
if (StringUtils.hasText(forwardedHeader)) { if (StringUtils.hasText(forwardedHeader)) {
String forwardedToUse = StringUtils.tokenizeToStringArray(forwardedHeader, ",")[0]; Matcher matcher = FORWARDED_PROTO_PATTERN.matcher(forwardedHeader);
Matcher matcher = FORWARDED_PROTO_PATTERN.matcher(forwardedToUse);
if (matcher.find()) { if (matcher.find()) {
scheme(matcher.group(1).trim()); scheme(matcher.group(1).trim());
port(null); port(null);
@ -764,7 +763,7 @@ public class UriComponentsBuilder implements UriBuilder, Cloneable {
scheme("https"); scheme("https");
port(null); port(null);
} }
matcher = FORWARDED_HOST_PATTERN.matcher(forwardedToUse); matcher = FORWARDED_HOST_PATTERN.matcher(forwardedHeader);
if (matcher.find()) { if (matcher.find()) {
adaptForwardedHost(matcher.group(1).trim()); adaptForwardedHost(matcher.group(1).trim());
} }

20
spring-web/src/test/java/org/springframework/web/util/UriComponentsBuilderTests.java
Unescape View File

@ -1114,6 +1114,26 @@ class UriComponentsBuilderTests {
assertThat(result.toUriString()).isEqualTo("https://example.com/rest/mobile/users/1"); assertThat(result.toUriString()).isEqualTo("https://example.com/rest/mobile/users/1");
} }
@Test // gh-25737
void fromHttpRequestForwardedHeaderComma() {
MockHttpServletRequest request = new MockHttpServletRequest();
request.addHeader("Forwarded", "for=192.0.2.0,for=192.0.2.1;proto=https;host=192.0.2.3:9090");
request.setScheme("http");
request.setServerPort(8080);
request.setServerName("example.com");
request.setRequestURI("/rest/mobile/users/1");
HttpRequest httpRequest = new ServletServerHttpRequest(request);
UriComponents result = UriComponentsBuilder.fromHttpRequest(httpRequest).build();
assertThat(result.getScheme()).isEqualTo("https");
assertThat(result.getHost()).isEqualTo("192.0.2.3");
assertThat(result.getPath()).isEqualTo("/rest/mobile/users/1");
assertThat(result.getPort()).isEqualTo(9090);
assertThat(result.toUriString()).isEqualTo("https://192.0.2.3:9090/rest/mobile/users/1");
}
@Test // SPR-16364 @Test // SPR-16364
void uriComponentsNotEqualAfterNormalization() { void uriComponentsNotEqualAfterNormalization() {
UriComponents uri1 = UriComponentsBuilder.fromUriString("http://test.com").build().normalize(); UriComponents uri1 = UriComponentsBuilder.fromUriString("http://test.com").build().normalize();

Write Preview
Loading…
Cancel
Save