Avoid stacktrace for invalid Origin header values

This commit adds support for origins with a trailing slash or a path,
in order to avoid printing a stacktrace in the logs when
WebUtils#isSameOrigin(HttpRequest) parses such invalid Origin header
value.

Issue: SPR-13478
This commit is contained in:
Sebastien Deleuze
2015-09-28 11:03:51 +02:00
parent 3dcf8c1712
commit 9c66dfa7b5
2 changed files with 16 additions and 0 deletions

View File

@@ -339,6 +339,7 @@ public class UriComponentsBuilder implements Cloneable {
/**
* Create an instance by parsing the "origin" header of an HTTP request.
* @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454</a>
*/
public static UriComponentsBuilder fromOriginHeader(String origin) {
UriComponentsBuilder builder = UriComponentsBuilder.newInstance();
@@ -347,6 +348,11 @@ public class UriComponentsBuilder implements Cloneable {
String schema = (schemaIdx != -1 ? origin.substring(0, schemaIdx) : "http");
builder.scheme(schema);
String hostString = (schemaIdx != -1 ? origin.substring(schemaIdx + 3) : origin);
// Handling of invalid origins as described in SPR-13478
int firstSlashIdx = hostString.indexOf("/");
if (firstSlashIdx != -1) {
hostString = hostString.substring(0, firstSlashIdx);
}
if (hostString.contains(":")) {
String[] hostAndPort = StringUtils.split(hostString, ":");
builder.host(hostAndPort[0]);