root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Improve error handling in WebUtils.isValidOrigin() 

With this commit, WebUtils.isValidOrigin() logs an error message instead
of throwing an IllegalArgumentException when Origin header value is
invalid (for example when it does not contain the scheme).

Issue: SPR-12697
This commit is contained in:
Sebastien Deleuze 2015-02-19 14:12:10 +01:00
parent b5e80390de
commit 7cc56e1630
2 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
spring-web/src/main/java/org/springframework/web/util/WebUtils.java
View File

@ -33,6 +33,9 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpRequest;
import org.springframework.util.Assert;
import org.springframework.util.LinkedMultiValueMap;
@ -131,6 +134,8 @@ public abstract class WebUtils {
/** Key for the mutex session attribute */
public static final String SESSION_MUTEX_ATTRIBUTE = WebUtils.class.getName() + ".MUTEX";
private static final Log logger = LogFactory.getLog(WebUtils.class);
/**
* Set a system property to the web application root directory.
@ -786,7 +791,14 @@ public abstract class WebUtils {
return true;
}
else if (allowedOrigins.isEmpty()) {
UriComponents originComponents = UriComponentsBuilder.fromHttpUrl(origin).build();
UriComponents originComponents;
try {
originComponents = UriComponentsBuilder.fromHttpUrl(origin).build();
}
catch (IllegalArgumentException ex) {
logger.error("Failed to parse Origin header value [" + origin + "]");
return false;
}
UriComponents requestComponents = UriComponentsBuilder.fromHttpRequest(request).build();
int originPort = getPort(originComponents);
int requestPort = getPort(requestComponents);

4
spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
View File

@ -142,6 +142,10 @@ public class WebUtilsTests {
request.getHeaders().set(HttpHeaders.ORIGIN, "https://mydomain1.com");
assertFalse(WebUtils.isValidOrigin(request, allowedOrigins));
servletRequest.setServerName("invalid-origin");
request.getHeaders().set(HttpHeaders.ORIGIN, "invalid-origin");
assertFalse(WebUtils.isValidOrigin(request, allowedOrigins));
allowedOrigins = Arrays.asList("*");
servletRequest.setServerName("mydomain1.com");
request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain2.com");