From 40cbede7f36e4551189b2b0d60cc70aacec5f347 Mon Sep 17 00:00:00 2001 From: Sebastien Deleuze Date: Thu, 19 Feb 2015 14:12:10 +0100 Subject: [PATCH] Improve error handling in WebUtils.isValidOrigin() With this commit, WebUtils.isValidOrigin() logs an error message instead of throwing an IllegalArgumentException when Origin header value is invalid (for example when it does not contain the scheme). Issue: SPR-12697 --- .../org/springframework/web/util/WebUtils.java | 14 +++++++++++++- .../springframework/web/util/WebUtilsTests.java | 4 ++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/spring-web/src/main/java/org/springframework/web/util/WebUtils.java b/spring-web/src/main/java/org/springframework/web/util/WebUtils.java index 2821b5e2fb..c406c506f7 100644 --- a/spring-web/src/main/java/org/springframework/web/util/WebUtils.java +++ b/spring-web/src/main/java/org/springframework/web/util/WebUtils.java @@ -33,6 +33,9 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + import org.springframework.http.HttpRequest; import org.springframework.util.Assert; import org.springframework.util.LinkedMultiValueMap; @@ -131,6 +134,8 @@ public abstract class WebUtils { /** Key for the mutex session attribute */ public static final String SESSION_MUTEX_ATTRIBUTE = WebUtils.class.getName() + ".MUTEX"; + private static final Log logger = LogFactory.getLog(WebUtils.class); + /** * Set a system property to the web application root directory. @@ -786,7 +791,14 @@ public abstract class WebUtils { return true; } else if (allowedOrigins.isEmpty()) { - UriComponents originComponents = UriComponentsBuilder.fromHttpUrl(origin).build(); + UriComponents originComponents; + try { + originComponents = UriComponentsBuilder.fromHttpUrl(origin).build(); + } + catch (IllegalArgumentException ex) { + logger.error("Failed to parse Origin header value [" + origin + "]"); + return false; + } UriComponents requestComponents = UriComponentsBuilder.fromHttpRequest(request).build(); int originPort = getPort(originComponents); int requestPort = getPort(requestComponents); diff --git a/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java b/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java index e0a66ce26e..be8a2cec53 100644 --- a/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java +++ b/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java @@ -142,6 +142,10 @@ public class WebUtilsTests { request.getHeaders().set(HttpHeaders.ORIGIN, "https://mydomain1.com"); assertFalse(WebUtils.isValidOrigin(request, allowedOrigins)); + servletRequest.setServerName("invalid-origin"); + request.getHeaders().set(HttpHeaders.ORIGIN, "invalid-origin"); + assertFalse(WebUtils.isValidOrigin(request, allowedOrigins)); + allowedOrigins = Arrays.asList("*"); servletRequest.setServerName("mydomain1.com"); request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain2.com");