root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 12 Packages Projects Releases Wiki Activity

Check scheme in (WebUtils|CorsUtils)#isSameOrigin 

Issue: SPR-16362
This commit is contained in:
Sebastien Deleuze 2018-08-08 11:31:18 +02:00
parent 7e9b7102b7
commit 896eb5687a
4 changed files with 42 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
spring-web/src/main/java/org/springframework/web/cors/reactive/CorsUtils.java
View File

@ -69,13 +69,16 @@ public abstract class CorsUtils {
}
URI uri = request.getURI();
String actualScheme = uri.getScheme();
String actualHost = uri.getHost();
int actualPort = getPort(uri.getScheme(), uri.getPort());
Assert.notNull(actualScheme, "Actual request scheme must not be null");
Assert.notNull(actualHost, "Actual request host must not be null");
Assert.isTrue(actualPort != -1, "Actual request port must not be undefined");
UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build();
return (actualHost.equals(originUrl.getHost()) &&
return (actualScheme.equals(originUrl.getScheme()) &&
actualHost.equals(originUrl.getHost()) &&
actualPort == getPort(originUrl.getScheme(), originUrl.getPort()));
}

3
spring-web/src/main/java/org/springframework/web/util/WebUtils.java
View File

@ -813,7 +813,8 @@ public abstract class WebUtils {
}
UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build();
return (ObjectUtils.nullSafeEquals(host, originUrl.getHost()) &&
return (ObjectUtils.nullSafeEquals(scheme, originUrl.getScheme()) &&
ObjectUtils.nullSafeEquals(host, originUrl.getHost()) &&
getPort(scheme, port) == getPort(originUrl.getScheme(), originUrl.getPort()));
}

9
spring-web/src/test/java/org/springframework/web/cors/reactive/CorsUtilsTests.java
View File

@ -92,6 +92,15 @@ public class CorsUtilsTests {
testWithForwardedHeader(server, 123, "proto=https; host=mydomain2.com:456", "https://mydomain2.com:456");
}
@Test // SPR-16362
public void isSameOriginWithDifferentSchemes() {
MockServerHttpRequest request = MockServerHttpRequest
.get("http://mydomain1.com")
.header(HttpHeaders.ORIGIN, "https://mydomain1.com")
.build();
assertFalse(CorsUtils.isSameOrigin(request));
}
private void testWithXForwardedHeaders(String serverName, int port,
String forwardedProto, String forwardedHost, int forwardedPort, String originHeader) {

52
spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
View File

@ -105,39 +105,40 @@ public class WebUtilsTests {
@Test
public void isSameOrigin() {
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com"));
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80"));
assertTrue(checkSameOrigin("mydomain1.com", 443, "https://mydomain1.com"));
assertTrue(checkSameOrigin("mydomain1.com", 443, "https://mydomain1.com:443"));
assertTrue(checkSameOrigin("mydomain1.com", 123, "http://mydomain1.com:123"));
assertTrue(checkSameOrigin("mydomain1.com", -1, "ws://mydomain1.com"));
assertTrue(checkSameOrigin("mydomain1.com", 443, "wss://mydomain1.com"));
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com"));
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com:80"));
assertTrue(checkSameOrigin("https", "mydomain1.com", 443, "https://mydomain1.com"));
assertTrue(checkSameOrigin("https", "mydomain1.com", 443, "https://mydomain1.com:443"));
assertTrue(checkSameOrigin("http", "mydomain1.com", 123, "http://mydomain1.com:123"));
assertTrue(checkSameOrigin("ws", "mydomain1.com", -1, "ws://mydomain1.com"));
assertTrue(checkSameOrigin("wss", "mydomain1.com", 443, "wss://mydomain1.com"));
assertFalse(checkSameOrigin("mydomain1.com", -1, "http://mydomain2.com"));
assertFalse(checkSameOrigin("mydomain1.com", -1, "https://mydomain1.com"));
assertFalse(checkSameOrigin("mydomain1.com", -1, "invalid-origin"));
assertFalse(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain2.com"));
assertFalse(checkSameOrigin("http", "mydomain1.com", -1, "https://mydomain1.com"));
assertFalse(checkSameOrigin("http", "mydomain1.com", -1, "invalid-origin"));
assertFalse(checkSameOrigin("https", "mydomain1.com", -1, "http://mydomain1.com"));
// Handling of invalid origins as described in SPR-13478
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/"));
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/"));
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/path"));
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/path"));
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/"));
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/"));
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/path"));
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/path"));
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com/"));
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com:80/"));
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com/path"));
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com:80/path"));
assertFalse(checkSameOrigin("http", "mydomain2.com", -1, "http://mydomain1.com/"));
assertFalse(checkSameOrigin("http", "mydomain2.com", -1, "http://mydomain1.com:80/"));
assertFalse(checkSameOrigin("http", "mydomain2.com", -1, "http://mydomain1.com/path"));
assertFalse(checkSameOrigin("http", "mydomain2.com", -1, "http://mydomain1.com:80/path"));
// Handling of IPv6 hosts as described in SPR-13525
assertTrue(checkSameOrigin("[::1]", -1, "http://[::1]"));
assertTrue(checkSameOrigin("[::1]", 8080, "http://[::1]:8080"));
assertTrue(checkSameOrigin(
assertTrue(checkSameOrigin("http", "[::1]", -1, "http://[::1]"));
assertTrue(checkSameOrigin("http", "[::1]", 8080, "http://[::1]:8080"));
assertTrue(checkSameOrigin("http",
"[2001:0db8:0000:85a3:0000:0000:ac1f:8001]", -1,
"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]"));
assertTrue(checkSameOrigin(
assertTrue(checkSameOrigin("http",
"[2001:0db8:0000:85a3:0000:0000:ac1f:8001]", 8080,
"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8080"));
assertFalse(checkSameOrigin("[::1]", -1, "http://[::1]:8080"));
assertFalse(checkSameOrigin("[::1]", 8080,
assertFalse(checkSameOrigin("http", "[::1]", -1, "http://[::1]:8080"));
assertFalse(checkSameOrigin("http", "[::1]", 8080,
"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8080"));
}
@ -175,9 +176,10 @@ public class WebUtilsTests {
return WebUtils.isValidOrigin(request, allowed);
}
private boolean checkSameOrigin(String serverName, int port, String originHeader) {
private boolean checkSameOrigin(String scheme, String serverName, int port, String originHeader) {
MockHttpServletRequest servletRequest = new MockHttpServletRequest();
ServerHttpRequest request = new ServletServerHttpRequest(servletRequest);
servletRequest.setScheme(scheme);
servletRequest.setServerName(serverName);
if (port != -1) {
servletRequest.setServerPort(port);