Prevent duplicated Vary headers in CORS processing

Closes gh-24829
This commit is contained in:
Sébastien Deleuze
2020-04-15 11:23:33 +02:00
parent ae8f333d36
commit 67955dfb35
4 changed files with 60 additions and 9 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2019 the original author or authors.
* Copyright 2002-2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -401,4 +401,16 @@ public class DefaultCorsProcessorTests {
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
}
@Test
public void preventDuplicatedVaryHeaders() throws Exception {
this.request.setMethod(HttpMethod.GET.name());
this.response.addHeader(HttpHeaders.VARY, HttpHeaders.ORIGIN);
this.response.addHeader(HttpHeaders.VARY, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD);
this.response.addHeader(HttpHeaders.VARY, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS);
this.processor.processRequest(this.conf, this.request, this.response);
assertThat(this.response.getHeaders(HttpHeaders.VARY)).containsOnlyOnce(HttpHeaders.ORIGIN,
HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS);
}
}

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2019 the original author or authors.
* Copyright 2002-2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -421,6 +421,25 @@ public class DefaultCorsProcessorTests {
assertThat(response.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
}
@Test
public void preventDuplicatedVaryHeaders() {
MockServerHttpRequest request = MockServerHttpRequest
.method(HttpMethod.GET, "http://domain1.example/test.html")
.header(HttpHeaders.ORIGIN, "http://domain1.example")
.build();
ServerWebExchange exchange = MockServerWebExchange.from(request);
ServerHttpResponse response = exchange.getResponse();
HttpHeaders responseHeaders = response.getHeaders();
responseHeaders.add(VARY, ORIGIN);
responseHeaders.add(VARY, ACCESS_CONTROL_REQUEST_METHOD);
responseHeaders.add(VARY, ACCESS_CONTROL_REQUEST_HEADERS);
this.processor.process(this.conf, exchange);
assertThat(responseHeaders.get(VARY)).containsOnlyOnce(ORIGIN,
ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS);
}
private ServerWebExchange actualRequest() {
return MockServerWebExchange.from(corsRequest(HttpMethod.GET));