From 9c66dfa7b5f610ddeb69b9dc10baa227fbddcbf1 Mon Sep 17 00:00:00 2001
From: Sebastien Deleuze <sdeleuze@pivotal.io>
Date: Mon, 28 Sep 2015 11:03:51 +0200
Subject: [PATCH] Avoid stacktrace for invalid Origin header values

This commit adds support for origins with a trailing slash or a path,
in order to avoid printing a stacktrace in the logs when
WebUtils#isSameOrigin(HttpRequest) parses such invalid Origin header
value.

Issue: SPR-13478
---
 .../springframework/web/util/UriComponentsBuilder.java |  6 ++++++
 .../org/springframework/web/util/WebUtilsTests.java    | 10 ++++++++++
 2 files changed, 16 insertions(+)

diff --git a/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java b/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java
index adb99729a8c..0091168cfa4 100644
--- a/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java
+++ b/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java
@@ -339,6 +339,7 @@ public class UriComponentsBuilder implements Cloneable {
 
 	/**
 	 * Create an instance by parsing the "origin" header of an HTTP request.
+	 * @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454</a>
 	 */
 	public static UriComponentsBuilder fromOriginHeader(String origin) {
 		UriComponentsBuilder builder = UriComponentsBuilder.newInstance();
@@ -347,6 +348,11 @@ public class UriComponentsBuilder implements Cloneable {
 			String schema = (schemaIdx != -1 ? origin.substring(0, schemaIdx) : "http");
 			builder.scheme(schema);
 			String hostString = (schemaIdx != -1 ? origin.substring(schemaIdx + 3) : origin);
+			// Handling of invalid origins as described in SPR-13478
+			int firstSlashIdx = hostString.indexOf("/");
+			if (firstSlashIdx != -1) {
+				hostString = hostString.substring(0, firstSlashIdx);
+			}
 			if (hostString.contains(":")) {
 				String[] hostAndPort = StringUtils.split(hostString, ":");
 				builder.host(hostAndPort[0]);
diff --git a/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java b/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
index b82da3709b8..0c0042056b4 100644
--- a/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
+++ b/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
@@ -132,6 +132,16 @@ public class WebUtilsTests {
 		assertFalse(checkSameOrigin("mydomain1.com", -1, "http://mydomain2.com"));
 		assertFalse(checkSameOrigin("mydomain1.com", -1, "https://mydomain1.com"));
 		assertFalse(checkSameOrigin("mydomain1.com", -1, "invalid-origin"));
+
+		// Handling of invalid origins as described in SPR-13478
+		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/"));
+		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/"));
+		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/path"));
+		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/path"));
+		assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/"));
+		assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/"));
+		assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/path"));
+		assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/path"));
 	}