Add Access-Control-Request-Method check for CORS preflight requests

Issue: SPR-13193
11 years ago · 8ee0e78980
3 changed files with 8 additions and 3 deletions
--- a/spring-web/src/main/java/org/springframework/web/cors/CorsUtils.java
+++ b/spring-web/src/main/java/org/springframework/web/cors/CorsUtils.java
@ -41,7 +41,8 @@ public class CorsUtils {
				@@ -41,7 +41,8 @@ public class CorsUtils {
 	 * Returns {@code true} if the request is a valid CORS pre-flight one.
 	 */
 	public static boolean isPreFlightRequest(HttpServletRequest request) {
-		return (isCorsRequest(request) && request.getMethod().equals(HttpMethod.OPTIONS.name()));
+		return (isCorsRequest(request) && request.getMethod().equals(HttpMethod.OPTIONS.name())
+				&& request.getHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD) != null);
 	}

 }
--- a/spring-web/src/test/java/org/springframework/web/cors/CorsUtilsTests.java
+++ b/spring-web/src/test/java/org/springframework/web/cors/CorsUtilsTests.java
@ -21,6 +21,7 @@ import static org.junit.Assert.*;
				@@ -21,6 +21,7 @@ import static org.junit.Assert.*;
 import org.junit.Test;

 import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
 import org.springframework.mock.web.test.MockHttpServletRequest;

 /**
@ -46,7 +47,7 @@ public class CorsUtilsTests {
				@@ -46,7 +47,7 @@ public class CorsUtilsTests {
 	@Test
 	public void isPreFlightRequest() {
 		MockHttpServletRequest request = new MockHttpServletRequest();
-		request.setMethod("OPTIONS");
+		request.setMethod(HttpMethod.OPTIONS.name());
 		request.addHeader(HttpHeaders.ORIGIN, "http://domain.com");
 		request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		assertTrue(CorsUtils.isPreFlightRequest(request));
@ -58,10 +59,12 @@ public class CorsUtilsTests {
				@@ -58,10 +59,12 @@ public class CorsUtilsTests {
 		assertFalse(CorsUtils.isPreFlightRequest(request));

 		request = new MockHttpServletRequest();
+		request.setMethod(HttpMethod.OPTIONS.name());
 		request.addHeader(HttpHeaders.ORIGIN, "http://domain.com");
 		assertFalse(CorsUtils.isPreFlightRequest(request));

 		request = new MockHttpServletRequest();
+		request.setMethod(HttpMethod.OPTIONS.name());
 		request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
 		assertFalse(CorsUtils.isPreFlightRequest(request));
 	}
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/FrameworkServlet.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/FrameworkServlet.java
@ -61,6 +61,7 @@ import org.springframework.web.context.request.async.WebAsyncUtils;
				@@ -61,6 +61,7 @@ import org.springframework.web.context.request.async.WebAsyncUtils;
 import org.springframework.web.context.support.ServletRequestHandledEvent;
 import org.springframework.web.context.support.WebApplicationContextUtils;
 import org.springframework.web.context.support.XmlWebApplicationContext;
+import org.springframework.web.cors.CorsUtils;
 import org.springframework.web.util.NestedServletException;
 import org.springframework.web.util.WebUtils;

@ -903,7 +904,7 @@ public abstract class FrameworkServlet extends HttpServletBean implements Applic
				@@ -903,7 +904,7 @@ public abstract class FrameworkServlet extends HttpServletBean implements Applic
 	protected void doOptions(HttpServletRequest request, HttpServletResponse response)
 			throws ServletException, IOException {

-		if (this.dispatchOptionsRequest || request.getHeader("Origin") != null) {
+		if (this.dispatchOptionsRequest || CorsUtils.isPreFlightRequest(request)) {
 			processRequest(request, response);
 			if (response.containsHeader("Allow")) {
 				// Proper OPTIONS response coming from a handler - we're done.