You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@sling.apache.org by cr...@apache.org on 2021/09/28 08:52:57 UTC

[sling-org-apache-sling-security] 01/01: As discussed in SLING-3469, there's no need to have app:// as an hard-coded allowance around the Referrer Filter. The test adds a allow.hosts.regexp configuration showing that applications can configure the AIR allowance if needed.

This is an automated email from the ASF dual-hosted git repository.

cris pushed a commit to branch remove-hard-coded-air-allowance
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git

commit 2edc2862066aa388ba4f102860e0daa869d21a61
Author: Cris Rockwell <cm...@umich.edu>
AuthorDate: Tue Sep 28 04:52:31 2021 -0400

    As discussed in SLING-3469, there's no need to have app:// as an hard-coded allowance around the Referrer Filter. The test adds a allow.hosts.regexp configuration showing that applications can configure the AIR allowance if needed.
---
 src/main/java/org/apache/sling/security/impl/ReferrerFilter.java    | 4 ----
 .../java/org/apache/sling/security/impl/ReferrerFilterTest.java     | 6 +++++-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
index b5e7aea..b3aee71 100644
--- a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
+++ b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
@@ -383,10 +383,6 @@ public class ReferrerFilter implements  Preprocessor {
         if ( referrer.indexOf(":/") == - 1 ) {
             return true;
         }
-        // check for air referrer - which is always allowed
-        if ( referrer.startsWith("app:/") ) {
-            return true;
-        }
 
         final HostInfo info = getHost(referrer);
         if ( info == null ) {
diff --git a/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java b/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
index 6214b18..13924ac 100644
--- a/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
+++ b/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
@@ -61,7 +61,10 @@ public class ReferrerFilterTest {
 
             @Override
             public String[] allow_hosts_regexp() {
-                return new String[]{"http://([^.]*.)?abshost:80"};
+                return new String[]{
+                    "http://([^.]*.)?abshost:80",
+                    "^app://.+"
+                };
             }
 
             @Override
@@ -132,6 +135,7 @@ public class ReferrerFilterTest {
         Assert.assertEquals(false, filter.isValidRequest(getRequest("http://abshost:9001")));
         Assert.assertEquals(true, filter.isValidRequest(getRequest("http://another.abshost:80")));
         Assert.assertEquals(false, filter.isValidRequest(getRequest("http://yet.another.abshost:80")));
+        Assert.assertEquals(true, filter.isValidRequest(getRequest("app://yet.another.abshost:80")));
     }
 
     @Test