Avoid stacktrace for invalid Origin header values

This commit adds support for origins with a trailing slash or a path,
in order to avoid printing a stacktrace in the logs when
WebUtils#isSameOrigin(HttpRequest) parses such invalid Origin header
value.

Issue: SPR-13478
This commit is contained in:
Sebastien Deleuze
2015-09-28 11:03:51 +02:00
parent 3dcf8c1712
commit 9c66dfa7b5
2 changed files with 16 additions and 0 deletions

View File

@@ -132,6 +132,16 @@ public class WebUtilsTests {
assertFalse(checkSameOrigin("mydomain1.com", -1, "http://mydomain2.com"));
assertFalse(checkSameOrigin("mydomain1.com", -1, "https://mydomain1.com"));
assertFalse(checkSameOrigin("mydomain1.com", -1, "invalid-origin"));
// Handling of invalid origins as described in SPR-13478
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/"));
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/"));
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/path"));
assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/path"));
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/"));
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/"));
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/path"));
assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/path"));
}