GitHub-Spring
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Check scheme in (WebUtils|CorsUtils)#isSameOrigin 

Issue: SPR-16362
pull/1921/merge
Sebastien Deleuze 8 years ago
parent
7e9b7102b7
commit
896eb5687a
4 changed files with 43 additions and 28 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      spring-web/src/main/java/org/springframework/web/cors/reactive/CorsUtils.java
  2. 3
      spring-web/src/main/java/org/springframework/web/util/WebUtils.java
  3. 9
      spring-web/src/test/java/org/springframework/web/cors/reactive/CorsUtilsTests.java
  4. 54
      spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java

5
spring-web/src/main/java/org/springframework/web/cors/reactive/CorsUtils.java
Unescape View File

@ -69,13 +69,16 @@ public abstract class CorsUtils { @@ -69,13 +69,16 @@ public abstract class CorsUtils {
}
URI uri = request.getURI();
String actualScheme = uri.getScheme();
String actualHost = uri.getHost();
int actualPort = getPort(uri.getScheme(), uri.getPort());
Assert.notNull(actualScheme, "Actual request scheme must not be null");
Assert.notNull(actualHost, "Actual request host must not be null");
Assert.isTrue(actualPort != -1, "Actual request port must not be undefined");
UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build();
return (actualHost.equals(originUrl.getHost()) &&
return (actualScheme.equals(originUrl.getScheme()) &&
actualHost.equals(originUrl.getHost()) &&
actualPort == getPort(originUrl.getScheme(), originUrl.getPort()));
}

3
spring-web/src/main/java/org/springframework/web/util/WebUtils.java
Unescape View File

@ -813,7 +813,8 @@ public abstract class WebUtils { @@ -813,7 +813,8 @@ public abstract class WebUtils {
}
UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build();
return (ObjectUtils.nullSafeEquals(host, originUrl.getHost()) &&
return (ObjectUtils.nullSafeEquals(scheme, originUrl.getScheme()) &&
ObjectUtils.nullSafeEquals(host, originUrl.getHost()) &&
getPort(scheme, port) == getPort(originUrl.getScheme(), originUrl.getPort()));
}

9
spring-web/src/test/java/org/springframework/web/cors/reactive/CorsUtilsTests.java
Unescape View File

@ -92,6 +92,15 @@ public class CorsUtilsTests { @@ -92,6 +92,15 @@ public class CorsUtilsTests {
testWithForwardedHeader(server, 123, "proto=https; host=mydomain2.com:456", "https://mydomain2.com:456");
}
@Test // SPR-16362
public void isSameOriginWithDifferentSchemes() {
MockServerHttpRequest request = MockServerHttpRequest
.get("http://mydomain1.com")
.header(HttpHeaders.ORIGIN, "https://mydomain1.com")
.build();
assertFalse(CorsUtils.isSameOrigin(request));
}
private void testWithXForwardedHeaders(String serverName, int port,
String forwardedProto, String forwardedHost, int forwardedPort, String originHeader) {

54
spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
Unescape View File

@ -105,39 +105,40 @@ public class WebUtilsTests { @@ -105,39 +105,40 @@ public class WebUtilsTests {
@Test
public void isSameOrigin() {
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com"));
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80"));
assertTrue(checkSameOrigin("mydomain1.com", 443, "https://mydomain1.com"));
assertTrue(checkSameOrigin("mydomain1.com", 443, "https://mydomain1.com:443"));
assertTrue(checkSameOrigin("mydomain1.com", 123, "http://mydomain1.com:123"));
assertTrue(checkSameOrigin("mydomain1.com", -1, "ws://mydomain1.com"));
assertTrue(checkSameOrigin("mydomain1.com", 443, "wss://mydomain1.com"));
assertFalse(checkSameOrigin("mydomain1.com", -1, "http://mydomain2.com"));
assertFalse(checkSameOrigin("mydomain1.com", -1, "https://mydomain1.com"));
assertFalse(checkSameOrigin("mydomain1.com", -1, "invalid-origin"));
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com"));
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com:80"));
assertTrue(checkSameOrigin("https", "mydomain1.com", 443, "https://mydomain1.com"));
assertTrue(checkSameOrigin("https", "mydomain1.com", 443, "https://mydomain1.com:443"));
assertTrue(checkSameOrigin("http", "mydomain1.com", 123, "http://mydomain1.com:123"));
assertTrue(checkSameOrigin("ws", "mydomain1.com", -1, "ws://mydomain1.com"));
assertTrue(checkSameOrigin("wss", "mydomain1.com", 443, "wss://mydomain1.com"));
assertFalse(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain2.com"));
assertFalse(checkSameOrigin("http", "mydomain1.com", -1, "https://mydomain1.com"));
assertFalse(checkSameOrigin("http", "mydomain1.com", -1, "invalid-origin"));
assertFalse(checkSameOrigin("https", "mydomain1.com", -1, "http://mydomain1.com"));
// Handling of invalid origins as described in SPR-13478
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/"));
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/"));
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/path"));
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/path"));
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/"));
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/"));
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/path"));
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/path"));
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com/"));
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com:80/"));
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com/path"));
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com:80/path"));
assertFalse(checkSameOrigin("http", "mydomain2.com", -1, "http://mydomain1.com/"));
assertFalse(checkSameOrigin("http", "mydomain2.com", -1, "http://mydomain1.com:80/"));
assertFalse(checkSameOrigin("http", "mydomain2.com", -1, "http://mydomain1.com/path"));
assertFalse(checkSameOrigin("http", "mydomain2.com", -1, "http://mydomain1.com:80/path"));
// Handling of IPv6 hosts as described in SPR-13525
assertTrue(checkSameOrigin("[::1]", -1, "http://[::1]"));
assertTrue(checkSameOrigin("[::1]", 8080, "http://[::1]:8080"));
assertTrue(checkSameOrigin(
assertTrue(checkSameOrigin("http", "[::1]", -1, "http://[::1]"));
assertTrue(checkSameOrigin("http", "[::1]", 8080, "http://[::1]:8080"));
assertTrue(checkSameOrigin("http",
"[2001:0db8:0000:85a3:0000:0000:ac1f:8001]", -1,
"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]"));
assertTrue(checkSameOrigin(
assertTrue(checkSameOrigin("http",
"[2001:0db8:0000:85a3:0000:0000:ac1f:8001]", 8080,
"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8080"));
assertFalse(checkSameOrigin("[::1]", -1, "http://[::1]:8080"));
assertFalse(checkSameOrigin("[::1]", 8080,
assertFalse(checkSameOrigin("http", "[::1]", -1, "http://[::1]:8080"));
assertFalse(checkSameOrigin("http", "[::1]", 8080,
"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8080"));
}
@ -175,9 +176,10 @@ public class WebUtilsTests { @@ -175,9 +176,10 @@ public class WebUtilsTests {
return WebUtils.isValidOrigin(request, allowed);
}
private boolean checkSameOrigin(String serverName, int port, String originHeader) {
private boolean checkSameOrigin(String scheme, String serverName, int port, String originHeader) {
MockHttpServletRequest servletRequest = new MockHttpServletRequest();
ServerHttpRequest request = new ServletServerHttpRequest(servletRequest);
servletRequest.setScheme(scheme);
servletRequest.setServerName(serverName);
if (port != -1) {
servletRequest.setServerPort(port);

Write Preview
Loading…
Cancel
Save