From 7cc56e16309f9bcfa33e8bd0e6d839c39751c31a Mon Sep 17 00:00:00 2001 From: Sebastien Deleuze Date: Thu, 19 Feb 2015 14:12:10 +0100 Subject: [PATCH] Improve error handling in WebUtils.isValidOrigin() With this commit, WebUtils.isValidOrigin() logs an error message instead of throwing an IllegalArgumentException when Origin header value is invalid (for example when it does not contain the scheme). Issue: SPR-12697 --- .../org/springframework/web/util/WebUtils.java | 14 +++++++++++++- .../springframework/web/util/WebUtilsTests.java | 4 ++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/spring-web/src/main/java/org/springframework/web/util/WebUtils.java b/spring-web/src/main/java/org/springframework/web/util/WebUtils.java index 2821b5e2fb9..c406c506f78 100644 --- a/spring-web/src/main/java/org/springframework/web/util/WebUtils.java +++ b/spring-web/src/main/java/org/springframework/web/util/WebUtils.java @@ -33,6 +33,9 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + import org.springframework.http.HttpRequest; import org.springframework.util.Assert; import org.springframework.util.LinkedMultiValueMap; @@ -131,6 +134,8 @@ public abstract class WebUtils { /** Key for the mutex session attribute */ public static final String SESSION_MUTEX_ATTRIBUTE = WebUtils.class.getName() + ".MUTEX"; + private static final Log logger = LogFactory.getLog(WebUtils.class); + /** * Set a system property to the web application root directory. @@ -786,7 +791,14 @@ public abstract class WebUtils { return true; } else if (allowedOrigins.isEmpty()) { - UriComponents originComponents = UriComponentsBuilder.fromHttpUrl(origin).build(); + UriComponents originComponents; + try { + originComponents = UriComponentsBuilder.fromHttpUrl(origin).build(); + } + catch (IllegalArgumentException ex) { + logger.error("Failed to parse Origin header value [" + origin + "]"); + return false; + } UriComponents requestComponents = UriComponentsBuilder.fromHttpRequest(request).build(); int originPort = getPort(originComponents); int requestPort = getPort(requestComponents); diff --git a/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java b/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java index e0a66ce26e2..be8a2cec53d 100644 --- a/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java +++ b/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java @@ -142,6 +142,10 @@ public class WebUtilsTests { request.getHeaders().set(HttpHeaders.ORIGIN, "https://mydomain1.com"); assertFalse(WebUtils.isValidOrigin(request, allowedOrigins)); + servletRequest.setServerName("invalid-origin"); + request.getHeaders().set(HttpHeaders.ORIGIN, "invalid-origin"); + assertFalse(WebUtils.isValidOrigin(request, allowedOrigins)); + allowedOrigins = Arrays.asList("*"); servletRequest.setServerName("mydomain1.com"); request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain2.com");