You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/01/22 11:03:32 UTC
svn commit: r1653798 - in /tomcat/tc8.0.x/trunk: ./
java/org/apache/catalina/filters/CorsFilter.java
test/org/apache/catalina/filters/TestCorsFilter.java
test/org/apache/catalina/filters/TesterFilterConfigs.java
webapps/docs/changelog.xml
Author: markt
Date: Thu Jan 22 10:03:32 2015
New Revision: 1653798
URL: http://svn.apache.org/r1653798
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57178
Origin values of "null" should be included if "*" is allowed.
Patch provided by Gregor Zurowski
Modified:
tomcat/tc8.0.x/trunk/ (props changed)
tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/CorsFilter.java
tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TestCorsFilter.java
tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TesterFilterConfigs.java
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc8.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Jan 22 10:03:32 2015
@@ -1 +1 @@
-/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574
+/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797
Modified: tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/CorsFilter.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/CorsFilter.java?rev=1653798&r1=1653797&r2=1653798&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/CorsFilter.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/CorsFilter.java Thu Jan 22 10:03:32 2015
@@ -800,6 +800,7 @@ public final class CorsFilter implements
* Checks if a given origin is valid or not. Criteria:
* <ul>
* <li>If an encoded character is present in origin, it's not valid.</li>
+ * <li>If origin is "null", it's valid.</li>
* <li>Origin should be a valid {@link URI}</li>
* </ul>
*
@@ -812,6 +813,11 @@ public final class CorsFilter implements
return false;
}
+ // "null" is a valid origin
+ if ("null".equals(origin)) {
+ return true;
+ }
+
URI originURI;
try {
Modified: tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TestCorsFilter.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TestCorsFilter.java?rev=1653798&r1=1653797&r2=1653798&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TestCorsFilter.java (original)
+++ tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TestCorsFilter.java Thu Jan 22 10:03:32 2015
@@ -497,10 +497,10 @@ public class TestCorsFilter {
}
/*
- * Negative test, when a CORS request arrives, with a null origin.
+ * Negative test, when a CORS request arrives, with no origin header.
*/
@Test
- public void testDoFilterNullOrigin() throws IOException, ServletException {
+ public void testDoFilterNoOrigin() throws IOException, ServletException {
TesterHttpServletRequest request = new TesterHttpServletRequest();
request.setMethod("POST");
@@ -536,6 +536,58 @@ public class TestCorsFilter {
response.getStatus());
}
+ /*
+ * A CORS request arrives with a "null" origin which is allowed by default.
+ */
+ @Test
+ public void testDoFilterNullOriginAllowedByDefault() throws IOException,
+ ServletException {
+ TesterHttpServletRequest request = new TesterHttpServletRequest();
+
+ request.setMethod("POST");
+ request.setContentType("text/plain");
+ request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null");
+ TesterHttpServletResponse response = new TesterHttpServletResponse();
+
+ CorsFilter corsFilter = new CorsFilter();
+ corsFilter.init(TesterFilterConfigs.getDefaultFilterConfig());
+ CorsFilter.CORSRequestType requestType =
+ corsFilter.checkRequestType(request);
+ Assert.assertEquals(CorsFilter.CORSRequestType.SIMPLE, requestType);
+
+ corsFilter.doFilter(request, response, filterChain);
+
+ Assert.assertTrue(((Boolean) request.getAttribute(
+ CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
+ }
+
+ /*
+ * A CORS request arrives with a "null" origin which is explicitly allowed
+ * by configuration.
+ */
+ @Test
+ public void testDoFilterNullOriginAllowedByConfiguration() throws
+ IOException, ServletException {
+ TesterHttpServletRequest request = new TesterHttpServletRequest();
+
+ request.setMethod("POST");
+ request.setContentType("text/plain");
+ request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null");
+ TesterHttpServletResponse response = new TesterHttpServletResponse();
+
+ CorsFilter corsFilter = new CorsFilter();
+ corsFilter.init(
+ TesterFilterConfigs.getFilterConfigSpecificOriginNullAllowed());
+ CorsFilter.CORSRequestType requestType =
+ corsFilter.checkRequestType(request);
+ Assert.assertEquals(CorsFilter.CORSRequestType.SIMPLE, requestType);
+
+ corsFilter.doFilter(request, response, filterChain);
+
+ Assert.assertTrue(((Boolean) request.getAttribute(
+ CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
+ }
+
@Test(expected = ServletException.class)
public void testDoFilterNullRequestNullResponse() throws IOException,
ServletException {
@@ -1034,6 +1086,24 @@ public class TestCorsFilter {
corsFilter.doFilter(request, response, filterChain);
Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN,
response.getStatus());
+ }
+
+ /*
+ * Tests for failure, when the 'null' origin is used, and it's not in the
+ * list of allowed origins.
+ */
+ @Test
+ public void testCheckNullOriginNotAllowed() throws ServletException,
+ IOException {
+ TesterHttpServletRequest request = new TesterHttpServletRequest();
+ TesterHttpServletResponse response = new TesterHttpServletResponse();
+ request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null");
+ request.setMethod("GET");
+ CorsFilter corsFilter = new CorsFilter();
+ corsFilter.init(TesterFilterConfigs.getSpecificOriginFilterConfig());
+ corsFilter.doFilter(request, response, filterChain);
+ Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN,
+ response.getStatus());
}
/*
Modified: tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TesterFilterConfigs.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TesterFilterConfigs.java?rev=1653798&r1=1653797&r2=1653798&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TesterFilterConfigs.java (original)
+++ tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TesterFilterConfigs.java Thu Jan 22 10:03:32 2015
@@ -106,6 +106,24 @@ public class TesterFilterConfigs {
preflightMaxAge, decorateRequest);
}
+ public static FilterConfig getFilterConfigSpecificOriginNullAllowed() {
+ final String allowedHttpHeaders =
+ CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
+ final String allowedHttpMethods =
+ CorsFilter.DEFAULT_ALLOWED_HTTP_METHODS;
+ final String allowedOrigins = HTTP_TOMCAT_APACHE_ORG + ",null";
+ final String exposedHeaders = CorsFilter.DEFAULT_EXPOSED_HEADERS;
+ final String supportCredentials =
+ CorsFilter.DEFAULT_SUPPORTS_CREDENTIALS;
+ final String preflightMaxAge =
+ CorsFilter.DEFAULT_PREFLIGHT_MAXAGE;
+ final String decorateRequest = CorsFilter.DEFAULT_DECORATE_REQUEST;
+
+ return generateFilterConfig(allowedHttpHeaders, allowedHttpMethods,
+ allowedOrigins, exposedHeaders, supportCredentials,
+ preflightMaxAge, decorateRequest);
+ }
+
public static FilterConfig getFilterConfigWithExposedHeaders() {
final String allowedHttpHeaders =
CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS;
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1653798&r1=1653797&r2=1653798&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Thu Jan 22 10:03:32 2015
@@ -48,6 +48,11 @@
<subsection name="Catalina">
<changelog>
<fix>
+ <bug>57178</bug>: The CORS filter now treats <code>null</code> as a
+ valid origin that matches <code>*</code>. Patch provided by Gregor
+ Zurowski. (markt)
+ </fix>
+ <fix>
<bug>57425</bug>: Don't add attributes with null value or name to the
replicated context. (fschumacher)
</fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org