Check scheme in (WebUtils|CorsUtils)#isSameOrigin

Issue: SPR-16362
This commit is contained in:
Sebastien Deleuze
2018-08-08 11:31:18 +02:00
parent 7e9b7102b7
commit 896eb5687a
4 changed files with 42 additions and 27 deletions

View File

@@ -69,13 +69,16 @@ public abstract class CorsUtils {
}
URI uri = request.getURI();
String actualScheme = uri.getScheme();
String actualHost = uri.getHost();
int actualPort = getPort(uri.getScheme(), uri.getPort());
Assert.notNull(actualScheme, "Actual request scheme must not be null");
Assert.notNull(actualHost, "Actual request host must not be null");
Assert.isTrue(actualPort != -1, "Actual request port must not be undefined");
UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build();
return (actualHost.equals(originUrl.getHost()) &&
return (actualScheme.equals(originUrl.getScheme()) &&
actualHost.equals(originUrl.getHost()) &&
actualPort == getPort(originUrl.getScheme(), originUrl.getPort()));
}

View File

@@ -813,7 +813,8 @@ public abstract class WebUtils {
}
UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build();
return (ObjectUtils.nullSafeEquals(host, originUrl.getHost()) &&
return (ObjectUtils.nullSafeEquals(scheme, originUrl.getScheme()) &&
ObjectUtils.nullSafeEquals(host, originUrl.getHost()) &&
getPort(scheme, port) == getPort(originUrl.getScheme(), originUrl.getPort()));
}