Reject CORS request with 403 if Origin header is malformed

When assessing if a request is a CORS request, both mvc and reactive
`DefaultCorsProcessor` now catch `IllegalArgumentException` and turn
this into a 403 rejection rather than letting the exception propagate
into a 500 response.

Closes gh-33688
This commit is contained in:
Simon Baslé
2024-10-14 11:33:30 +02:00
parent f991c19b30
commit 8da31e1db7
4 changed files with 47 additions and 4 deletions

View File

@@ -83,8 +83,15 @@ public class DefaultCorsProcessor implements CorsProcessor {
response.addHeader(HttpHeaders.VARY, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS);
}
if (!CorsUtils.isCorsRequest(request)) {
return true;
try {
if (!CorsUtils.isCorsRequest(request)) {
return true;
}
}
catch (IllegalArgumentException ex) {
logger.debug("Reject: origin is malformed");
rejectRequest(new ServletServerHttpResponse(response));
return false;
}
if (response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN) != null) {

View File

@@ -83,8 +83,15 @@ public class DefaultCorsProcessor implements CorsProcessor {
}
}
if (!CorsUtils.isCorsRequest(request)) {
return true;
try {
if (!CorsUtils.isCorsRequest(request)) {
return true;
}
}
catch (IllegalArgumentException ex) {
logger.debug("Reject: origin is malformed");
rejectRequest(response);
return false;
}
if (responseHeaders.getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN) != null) {