liangqi
/
spring-framework
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Improve error handling in WebUtils.isValidOrigin()

Browse Source 
With this commit, WebUtils.isValidOrigin() logs an error message instead
of throwing an IllegalArgumentException when Origin header value is
invalid (for example when it does not contain the scheme).

Issue: SPR-12697
master
Sebastien Deleuze 10 years ago
parent adb502a0de
commit 40cbede7f3
2 changed files with 17 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      spring-web/src/main/java/org/springframework/web/util/WebUtils.java
  2. 4
      spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java

14
spring-web/src/main/java/org/springframework/web/util/WebUtils.java
Unescape View File

@ -33,6 +33,9 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpRequest; import org.springframework.http.HttpRequest;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.util.LinkedMultiValueMap; import org.springframework.util.LinkedMultiValueMap;
@ -131,6 +134,8 @@ public abstract class WebUtils {
/** Key for the mutex session attribute */ /** Key for the mutex session attribute */
public static final String SESSION_MUTEX_ATTRIBUTE = WebUtils.class.getName() + ".MUTEX"; public static final String SESSION_MUTEX_ATTRIBUTE = WebUtils.class.getName() + ".MUTEX";
private static final Log logger = LogFactory.getLog(WebUtils.class);
/** /**
* Set a system property to the web application root directory. * Set a system property to the web application root directory.
@ -786,7 +791,14 @@ public abstract class WebUtils {
return true; return true;
} }
else if (allowedOrigins.isEmpty()) { else if (allowedOrigins.isEmpty()) {
UriComponents originComponents = UriComponentsBuilder.fromHttpUrl(origin).build(); UriComponents originComponents;
try {
originComponents = UriComponentsBuilder.fromHttpUrl(origin).build();
}
catch (IllegalArgumentException ex) {
logger.error("Failed to parse Origin header value [" + origin + "]");
return false;
}
UriComponents requestComponents = UriComponentsBuilder.fromHttpRequest(request).build(); UriComponents requestComponents = UriComponentsBuilder.fromHttpRequest(request).build();
int originPort = getPort(originComponents); int originPort = getPort(originComponents);
int requestPort = getPort(requestComponents); int requestPort = getPort(requestComponents);

4
spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
Unescape View File

@ -142,6 +142,10 @@ public class WebUtilsTests {
request.getHeaders().set(HttpHeaders.ORIGIN, "https://mydomain1.com"); request.getHeaders().set(HttpHeaders.ORIGIN, "https://mydomain1.com");
assertFalse(WebUtils.isValidOrigin(request, allowedOrigins)); assertFalse(WebUtils.isValidOrigin(request, allowedOrigins));
servletRequest.setServerName("invalid-origin");
request.getHeaders().set(HttpHeaders.ORIGIN, "invalid-origin");
assertFalse(WebUtils.isValidOrigin(request, allowedOrigins));
allowedOrigins = Arrays.asList("*"); allowedOrigins = Arrays.asList("*");
servletRequest.setServerName("mydomain1.com"); servletRequest.setServerName("mydomain1.com");
request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain2.com"); request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain2.com");

Write Preview
Loading…
Cancel
Save