GitHub-Spring
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Avoid stacktrace for invalid Origin header values 

This commit adds support for origins with a trailing slash or a path,
in order to avoid printing a stacktrace in the logs when
WebUtils#isSameOrigin(HttpRequest) parses such invalid Origin header
value.

Issue: SPR-13478
pull/880/head
Sebastien Deleuze 11 years ago
parent
3dcf8c1712
commit
9c66dfa7b5
2 changed files with 16 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java
  2. 10
      spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java

6
spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java
Unescape View File

@ -339,6 +339,7 @@ public class UriComponentsBuilder implements Cloneable { @@ -339,6 +339,7 @@ public class UriComponentsBuilder implements Cloneable {
/**
* Create an instance by parsing the "origin" header of an HTTP request.
* @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454</a>
*/
public static UriComponentsBuilder fromOriginHeader(String origin) {
UriComponentsBuilder builder = UriComponentsBuilder.newInstance();
@ -347,6 +348,11 @@ public class UriComponentsBuilder implements Cloneable { @@ -347,6 +348,11 @@ public class UriComponentsBuilder implements Cloneable {
String schema = (schemaIdx != -1 ? origin.substring(0, schemaIdx) : "http");
builder.scheme(schema);
String hostString = (schemaIdx != -1 ? origin.substring(schemaIdx + 3) : origin);
// Handling of invalid origins as described in SPR-13478
int firstSlashIdx = hostString.indexOf("/");
if (firstSlashIdx != -1) {
hostString = hostString.substring(0, firstSlashIdx);
}
if (hostString.contains(":")) {
String[] hostAndPort = StringUtils.split(hostString, ":");
builder.host(hostAndPort[0]);

10
spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
Unescape View File

@ -132,6 +132,16 @@ public class WebUtilsTests { @@ -132,6 +132,16 @@ public class WebUtilsTests {
assertFalse(checkSameOrigin("mydomain1.com", -1, "http://mydomain2.com"));
assertFalse(checkSameOrigin("mydomain1.com", -1, "https://mydomain1.com"));
assertFalse(checkSameOrigin("mydomain1.com", -1, "invalid-origin"));
// Handling of invalid origins as described in SPR-13478
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/"));
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/"));
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/path"));
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/path"));
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/"));
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/"));
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/path"));
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/path"));
}

Write Preview
Loading…
Cancel
Save