root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Fix ForwardedHeaderFilter getRequestURL() 

Previously ForwardedHeaderFilter would return the same StringBuffer for every invocation. This
meant that users that modified the StringBuffer changed the state of the HttpServletRequest.

This commit ensures that a new StringBuffer is always returned for ForwardedHeaderFilter.

Issue: SPR-15423
This commit is contained in:
Bryan Kelly 2017-04-07 14:59:32 -05:00 committed by Rob Winch
parent a95843a068
commit 9a9166622e
2 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java
View File

@ -118,7 +118,7 @@ public class ForwardedHeaderFilter extends OncePerRequestFilter {
private final String requestUri;
private final StringBuffer requestUrl;
private final String requestUrl;
private final Map<String, List<String>> headers;
@ -137,8 +137,8 @@ public class ForwardedHeaderFilter extends OncePerRequestFilter {
String prefix = getForwardedPrefix(request);
this.contextPath = (prefix != null ? prefix : request.getContextPath());
this.requestUri = this.contextPath + pathHelper.getPathWithinApplication(request);
this.requestUrl = new StringBuffer(this.scheme + "://" + this.host +
(port == -1 ? "" : ":" + port) + this.requestUri);
this.requestUrl = this.scheme + "://" + this.host +
(port == -1 ? "" : ":" + port) + this.requestUri;
this.headers = initHeaders(request);
}
@ -206,7 +206,7 @@ public class ForwardedHeaderFilter extends OncePerRequestFilter {
@Override
public StringBuffer getRequestURL() {
return this.requestUrl;
return new StringBuffer(this.requestUrl);
}
// Override header accessors to not expose forwarded headers

10
spring-web/src/test/java/org/springframework/web/filter/ForwardedHeaderFilterTests.java
View File

@ -204,6 +204,16 @@ public class ForwardedHeaderFilterTests {
HttpServletRequest actual = filterAndGetWrappedRequest();
assertEquals("http://localhost/prefix/mvc-showcase", actual.getRequestURL().toString());
}
@Test
public void requestURLNewStringBuffer() throws Exception {
this.request.addHeader(X_FORWARDED_PREFIX, "/prefix/");
this.request.setRequestURI("/mvc-showcase");
HttpServletRequest actual = filterAndGetWrappedRequest();
actual.getRequestURL().append("?key=value");
assertEquals("http://localhost/prefix/mvc-showcase", actual.getRequestURL().toString());
}
@Test
public void contextPathWithForwardedPrefix() throws Exception {