From c0729756d76c355829ec63921a2ba0f6aebfebfc Mon Sep 17 00:00:00 2001
From: Phillip Webb <pwebb@vmware.com>
Date: Thu, 20 Sep 2012 17:39:07 -0700
Subject: [PATCH] Protect RequestCondition against unkown HTTP methods

The RequestMethodsRequestCondition is now protected against HTTP
request method values not present in the RequestMethod enumeration
(e.g. PROPFIND).

Issue: SPR-9815
---
 .../RequestMethodsRequestCondition.java       | 37 ++++++++++++-------
 .../RequestMethodsRequestConditionTests.java  | 14 ++++++-
 2 files changed, 36 insertions(+), 15 deletions(-)

diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/condition/RequestMethodsRequestCondition.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/condition/RequestMethodsRequestCondition.java
index 902d3fb3ad..22d5e3b8b5 100644
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/condition/RequestMethodsRequestCondition.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/condition/RequestMethodsRequestCondition.java
@@ -87,32 +87,43 @@ public final class RequestMethodsRequestCondition extends AbstractRequestConditi
 	}
 
 	/**
-	 * Checks if any of the HTTP request methods match the given request and returns
-	 * an instance that contains the matching request method only.
+	 * Check if any of the HTTP request methods match the given request and
+	 * return an instance that contains the matching HTTP request method only.
+	 *
 	 * @param request the current request
-	 * @return the same instance if the condition contains no request method;
-	 * 		or a new condition with the matching request method;
-	 * 		or {@code null} if no request methods match.
+	 * @return the same instance if the condition is empty, a new condition with
+	 * the matched request method, or {@code null} if no request methods match
 	 */
 	public RequestMethodsRequestCondition getMatchingCondition(HttpServletRequest request) {
-		if (methods.isEmpty()) {
+		if (this.methods.isEmpty()) {
 			return this;
 		}
-		RequestMethod incomingRequestMethod = RequestMethod.valueOf(request.getMethod());
-		for (RequestMethod method : methods) {
-			if (method.equals(incomingRequestMethod)) {
-				return new RequestMethodsRequestCondition(method);
+		RequestMethod incomingRequestMethod = getRequestMethod(request);
+		if(incomingRequestMethod != null) {
+			for (RequestMethod method : this.methods) {
+				if (method.equals(incomingRequestMethod)) {
+					return new RequestMethodsRequestCondition(method);
+				}
 			}
 		}
 		return null;
 	}
 
+	private RequestMethod getRequestMethod(HttpServletRequest request) {
+		try {
+			return RequestMethod.valueOf(request.getMethod());
+		}
+		catch (IllegalArgumentException e) {
+			return null;
+		}
+	}
+
 	/**
 	 * Returns:
 	 * <ul>
-	 * 	<li>0 if the two conditions contain the same number of HTTP request methods.
-	 * 	<li>Less than 0 if "this" instance has an HTTP request method but "other" doesn't.
-	 * 	<li>Greater than 0 "other" has an HTTP request method but "this" doesn't.
+	 * 	<li>0 if the two conditions contain the same number of HTTP request methods
+	 * 	<li>Less than 0 if "this" instance has an HTTP request method but "other" doesn't
+	 * 	<li>Greater than 0 "other" has an HTTP request method but "this" doesn't
 	 * </ul>
 	 *
 	 * <p>It is assumed that both instances have been obtained via
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/condition/RequestMethodsRequestConditionTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/condition/RequestMethodsRequestConditionTests.java
index b8aa875359..b31b403183 100644
--- a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/condition/RequestMethodsRequestConditionTests.java
+++ b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/condition/RequestMethodsRequestConditionTests.java
@@ -16,6 +16,7 @@
 
 package org.springframework.web.servlet.mvc.condition;
 
+import static org.junit.Assert.*;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
@@ -47,7 +48,7 @@ public class RequestMethodsRequestConditionTests {
 
 		assertNull(condition.getMatchingCondition(request));
 	}
-	
+
 	@Test
 	public void multipleMethodsMatch() {
 		RequestMethodsRequestCondition condition = new RequestMethodsRequestCondition(RequestMethod.GET, RequestMethod.POST);
@@ -66,6 +67,15 @@ public class RequestMethodsRequestConditionTests {
 		assertNotNull(condition.getMatchingCondition(new MockHttpServletRequest("HEAD", "")));
 	}
 
+	@Test
+	public void unknownMethodType() throws Exception {
+		RequestMethodsRequestCondition condition = new RequestMethodsRequestCondition(RequestMethod.GET, RequestMethod.POST);
+
+		MockHttpServletRequest request = new MockHttpServletRequest("PROPFIND", "/foo");
+
+		assertNull(condition.getMatchingCondition(request));
+	}
+
 	@Test
 	public void compareTo() {
 		RequestMethodsRequestCondition condition1 = new RequestMethodsRequestCondition(RequestMethod.GET, RequestMethod.HEAD);
@@ -73,7 +83,7 @@ public class RequestMethodsRequestConditionTests {
 		RequestMethodsRequestCondition condition3 = new RequestMethodsRequestCondition();
 
 		MockHttpServletRequest request = new MockHttpServletRequest();
-		
+
 		int result = condition1.compareTo(condition2, request);
 		assertTrue("Invalid comparison result: " + result, result < 0);