Protect RequestCondition against unkown HTTP methods

The RequestMethodsRequestCondition is now protected against HTTP request method values not present in the RequestMethod enumeration (e.g. PROPFIND). Issue: SPR-9815
2012-09-20 17:39:07 -07:00 · 2012-09-20 17:39:07 -07:00 · c0729756d7
parent b0153ada19
commit c0729756d7
2 changed files with 36 additions and 15 deletions
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/condition/RequestMethodsRequestCondition.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/condition/RequestMethodsRequestCondition.java
@ -87,32 +87,43 @@ public final class RequestMethodsRequestCondition extends AbstractRequestConditi
 	}

 	/**
-	 * Checks if any of the HTTP request methods match the given request and returns
-	 * an instance that contains the matching request method only.
+	 * Check if any of the HTTP request methods match the given request and
+	 * return an instance that contains the matching HTTP request method only.
+	 *
 	 * @param request the current request
-	 * @return the same instance if the condition contains no request method;
-	 * 		or a new condition with the matching request method;
-	 * 		or {@code null} if no request methods match.
+	 * @return the same instance if the condition is empty, a new condition with
+	 * the matched request method, or {@code null} if no request methods match
 	 */
 	public RequestMethodsRequestCondition getMatchingCondition(HttpServletRequest request) {
-		if (methods.isEmpty()) {
+		if (this.methods.isEmpty()) {
 			return this;
 		}
-		RequestMethod incomingRequestMethod = RequestMethod.valueOf(request.getMethod());
-		for (RequestMethod method : methods) {
-			if (method.equals(incomingRequestMethod)) {
-				return new RequestMethodsRequestCondition(method);
+		RequestMethod incomingRequestMethod = getRequestMethod(request);
+		if(incomingRequestMethod != null) {
+			for (RequestMethod method : this.methods) {
+				if (method.equals(incomingRequestMethod)) {
+					return new RequestMethodsRequestCondition(method);
+				}
 			}
 		}
 		return null;
 	}

+	private RequestMethod getRequestMethod(HttpServletRequest request) {
+		try {
+			return RequestMethod.valueOf(request.getMethod());
+		}
+		catch (IllegalArgumentException e) {
+			return null;
+		}
+	}
+
 	/**
 	 * Returns:
 	 * <ul>
-	 * 	<li>0 if the two conditions contain the same number of HTTP request methods.
-	 * 	<li>Less than 0 if "this" instance has an HTTP request method but "other" doesn't.
-	 * 	<li>Greater than 0 "other" has an HTTP request method but "this" doesn't.
+	 * 	<li>0 if the two conditions contain the same number of HTTP request methods
+	 * 	<li>Less than 0 if "this" instance has an HTTP request method but "other" doesn't
+	 * 	<li>Greater than 0 "other" has an HTTP request method but "this" doesn't
 	 * </ul>
 	 *
 	 * <p>It is assumed that both instances have been obtained via
--- a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/condition/RequestMethodsRequestConditionTests.java
+++ b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/condition/RequestMethodsRequestConditionTests.java
@ -16,6 +16,7 @@

 package org.springframework.web.servlet.mvc.condition;

+import static org.junit.Assert.*;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
@ -47,7 +48,7 @@ public class RequestMethodsRequestConditionTests {

 		assertNull(condition.getMatchingCondition(request));
 	}
-	
+
 	@Test
 	public void multipleMethodsMatch() {
 		RequestMethodsRequestCondition condition = new RequestMethodsRequestCondition(RequestMethod.GET, RequestMethod.POST);
@ -66,6 +67,15 @@ public class RequestMethodsRequestConditionTests {
 		assertNotNull(condition.getMatchingCondition(new MockHttpServletRequest("HEAD", "")));
 	}

+	@Test
+	public void unknownMethodType() throws Exception {
+		RequestMethodsRequestCondition condition = new RequestMethodsRequestCondition(RequestMethod.GET, RequestMethod.POST);
+
+		MockHttpServletRequest request = new MockHttpServletRequest("PROPFIND", "/foo");
+
+		assertNull(condition.getMatchingCondition(request));
+	}
+
 	@Test
 	public void compareTo() {
 		RequestMethodsRequestCondition condition1 = new RequestMethodsRequestCondition(RequestMethod.GET, RequestMethod.HEAD);
@ -73,7 +83,7 @@ public class RequestMethodsRequestConditionTests {
 		RequestMethodsRequestCondition condition3 = new RequestMethodsRequestCondition();

 		MockHttpServletRequest request = new MockHttpServletRequest();
-		
+
 		int result = condition1.compareTo(condition2, request);
 		assertTrue("Invalid comparison result: " + result, result < 0);