Reject CORS request with 403 if Origin header is malformed
When assessing if a request is a CORS request, both mvc and reactive `DefaultCorsProcessor` now catch `IllegalArgumentException` and turn this into a 403 rejection rather than letting the exception propagate into a 500 response. Closes gh-33688
This commit is contained in:
@@ -83,8 +83,15 @@ public class DefaultCorsProcessor implements CorsProcessor {
|
||||
response.addHeader(HttpHeaders.VARY, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS);
|
||||
}
|
||||
|
||||
if (!CorsUtils.isCorsRequest(request)) {
|
||||
return true;
|
||||
try {
|
||||
if (!CorsUtils.isCorsRequest(request)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
catch (IllegalArgumentException ex) {
|
||||
logger.debug("Reject: origin is malformed");
|
||||
rejectRequest(new ServletServerHttpResponse(response));
|
||||
return false;
|
||||
}
|
||||
|
||||
if (response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN) != null) {
|
||||
|
||||
@@ -83,8 +83,15 @@ public class DefaultCorsProcessor implements CorsProcessor {
|
||||
}
|
||||
}
|
||||
|
||||
if (!CorsUtils.isCorsRequest(request)) {
|
||||
return true;
|
||||
try {
|
||||
if (!CorsUtils.isCorsRequest(request)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
catch (IllegalArgumentException ex) {
|
||||
logger.debug("Reject: origin is malformed");
|
||||
rejectRequest(response);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (responseHeaders.getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN) != null) {
|
||||
|
||||
Reference in New Issue
Block a user