|
|
|
|
@@ -105,39 +105,40 @@ public class WebUtilsTests {
|
|
|
|
|
|
|
|
|
|
@Test
|
|
|
|
|
public void isSameOrigin() {
|
|
|
|
|
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com"));
|
|
|
|
|
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80"));
|
|
|
|
|
assertTrue(checkSameOrigin("mydomain1.com", 443, "https://mydomain1.com"));
|
|
|
|
|
assertTrue(checkSameOrigin("mydomain1.com", 443, "https://mydomain1.com:443"));
|
|
|
|
|
assertTrue(checkSameOrigin("mydomain1.com", 123, "http://mydomain1.com:123"));
|
|
|
|
|
assertTrue(checkSameOrigin("mydomain1.com", -1, "ws://mydomain1.com"));
|
|
|
|
|
assertTrue(checkSameOrigin("mydomain1.com", 443, "wss://mydomain1.com"));
|
|
|
|
|
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com"));
|
|
|
|
|
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com:80"));
|
|
|
|
|
assertTrue(checkSameOrigin("https", "mydomain1.com", 443, "https://mydomain1.com"));
|
|
|
|
|
assertTrue(checkSameOrigin("https", "mydomain1.com", 443, "https://mydomain1.com:443"));
|
|
|
|
|
assertTrue(checkSameOrigin("http", "mydomain1.com", 123, "http://mydomain1.com:123"));
|
|
|
|
|
assertTrue(checkSameOrigin("ws", "mydomain1.com", -1, "ws://mydomain1.com"));
|
|
|
|
|
assertTrue(checkSameOrigin("wss", "mydomain1.com", 443, "wss://mydomain1.com"));
|
|
|
|
|
|
|
|
|
|
assertFalse(checkSameOrigin("mydomain1.com", -1, "http://mydomain2.com"));
|
|
|
|
|
assertFalse(checkSameOrigin("mydomain1.com", -1, "https://mydomain1.com"));
|
|
|
|
|
assertFalse(checkSameOrigin("mydomain1.com", -1, "invalid-origin"));
|
|
|
|
|
assertFalse(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain2.com"));
|
|
|
|
|
assertFalse(checkSameOrigin("http", "mydomain1.com", -1, "https://mydomain1.com"));
|
|
|
|
|
assertFalse(checkSameOrigin("http", "mydomain1.com", -1, "invalid-origin"));
|
|
|
|
|
assertFalse(checkSameOrigin("https", "mydomain1.com", -1, "http://mydomain1.com"));
|
|
|
|
|
|
|
|
|
|
// Handling of invalid origins as described in SPR-13478
|
|
|
|
|
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/"));
|
|
|
|
|
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/"));
|
|
|
|
|
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/path"));
|
|
|
|
|
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/path"));
|
|
|
|
|
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/"));
|
|
|
|
|
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/"));
|
|
|
|
|
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/path"));
|
|
|
|
|
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/path"));
|
|
|
|
|
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com/"));
|
|
|
|
|
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com:80/"));
|
|
|
|
|
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com/path"));
|
|
|
|
|
assertTrue(checkSameOrigin("http", "mydomain1.com", -1, "http://mydomain1.com:80/path"));
|
|
|
|
|
assertFalse(checkSameOrigin("http", "mydomain2.com", -1, "http://mydomain1.com/"));
|
|
|
|
|
assertFalse(checkSameOrigin("http", "mydomain2.com", -1, "http://mydomain1.com:80/"));
|
|
|
|
|
assertFalse(checkSameOrigin("http", "mydomain2.com", -1, "http://mydomain1.com/path"));
|
|
|
|
|
assertFalse(checkSameOrigin("http", "mydomain2.com", -1, "http://mydomain1.com:80/path"));
|
|
|
|
|
|
|
|
|
|
// Handling of IPv6 hosts as described in SPR-13525
|
|
|
|
|
assertTrue(checkSameOrigin("[::1]", -1, "http://[::1]"));
|
|
|
|
|
assertTrue(checkSameOrigin("[::1]", 8080, "http://[::1]:8080"));
|
|
|
|
|
assertTrue(checkSameOrigin(
|
|
|
|
|
assertTrue(checkSameOrigin("http", "[::1]", -1, "http://[::1]"));
|
|
|
|
|
assertTrue(checkSameOrigin("http", "[::1]", 8080, "http://[::1]:8080"));
|
|
|
|
|
assertTrue(checkSameOrigin("http",
|
|
|
|
|
"[2001:0db8:0000:85a3:0000:0000:ac1f:8001]", -1,
|
|
|
|
|
"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]"));
|
|
|
|
|
assertTrue(checkSameOrigin(
|
|
|
|
|
assertTrue(checkSameOrigin("http",
|
|
|
|
|
"[2001:0db8:0000:85a3:0000:0000:ac1f:8001]", 8080,
|
|
|
|
|
"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8080"));
|
|
|
|
|
assertFalse(checkSameOrigin("[::1]", -1, "http://[::1]:8080"));
|
|
|
|
|
assertFalse(checkSameOrigin("[::1]", 8080,
|
|
|
|
|
assertFalse(checkSameOrigin("http", "[::1]", -1, "http://[::1]:8080"));
|
|
|
|
|
assertFalse(checkSameOrigin("http", "[::1]", 8080,
|
|
|
|
|
"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8080"));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@@ -175,9 +176,10 @@ public class WebUtilsTests {
|
|
|
|
|
return WebUtils.isValidOrigin(request, allowed);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private boolean checkSameOrigin(String serverName, int port, String originHeader) {
|
|
|
|
|
private boolean checkSameOrigin(String scheme, String serverName, int port, String originHeader) {
|
|
|
|
|
MockHttpServletRequest servletRequest = new MockHttpServletRequest();
|
|
|
|
|
ServerHttpRequest request = new ServletServerHttpRequest(servletRequest);
|
|
|
|
|
servletRequest.setScheme(scheme);
|
|
|
|
|
servletRequest.setServerName(serverName);
|
|
|
|
|
if (port != -1) {
|
|
|
|
|
servletRequest.setServerPort(port);
|
|
|
|
|
|