You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/03/18 22:16:27 UTC
svn commit: r1667617 - in /tomcat/tc8.0.x/trunk: ./
java/org/apache/catalina/filters/CorsFilter.java
test/org/apache/catalina/filters/TestCorsFilter.java
test/org/apache/catalina/filters/TesterHttpServletRequest.java
webapps/docs/changelog.xml
Author: markt
Date: Wed Mar 18 21:16:26 2015
New Revision: 1667617
URL: http://svn.apache.org/r1667617
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=57724
Handle the case where the UA provides an Origin header for a non-CORS request.
Modified:
tomcat/tc8.0.x/trunk/ (props changed)
tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/CorsFilter.java
tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TestCorsFilter.java
tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TesterHttpServletRequest.java
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc8.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Mar 18 21:16:26 2015
@@ -1 +1 @@
-/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,1655558,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,1657
907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661867,1661972,1661990,1662200,1662308-1662309,1662548,1662614,1662736,1662985,1662988-1662989,1663264,1663277,1663298,1663324,1663534,1663562,1663676,1663715,1663754,1663768,1663772,1663781,1663893,1663995,1664143,1664163,1664174,1664301,1664317,1664347,1664657,1664659,1664710,1664863-1664864,1664866,1665085,1665292,1665559,1665653,1665661,1665672,1665694,1665697,1665736,1665779,1665976-1665977,1665980-1665981,1665985-1665986,1665989,1665998,1666004,1666008,1666013,1666017,1666024,1666116,1666386-1666387,1666494,1666496,1666552,1666569,1666579,1666637,1
666649,1666757,1666966,1666972,1666985,1666995,1666997,1667292,1667402,1667406,1667546
+/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,1655558,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,1657
907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661867,1661972,1661990,1662200,1662308-1662309,1662548,1662614,1662736,1662985,1662988-1662989,1663264,1663277,1663298,1663324,1663534,1663562,1663676,1663715,1663754,1663768,1663772,1663781,1663893,1663995,1664143,1664163,1664174,1664301,1664317,1664347,1664657,1664659,1664710,1664863-1664864,1664866,1665085,1665292,1665559,1665653,1665661,1665672,1665694,1665697,1665736,1665779,1665976-1665977,1665980-1665981,1665985-1665986,1665989,1665998,1666004,1666008,1666013,1666017,1666024,1666116,1666386-1666387,1666494,1666496,1666552,1666569,1666579,1666637,1
666649,1666757,1666966,1666972,1666985,1666995,1666997,1667292,1667402,1667406,1667546,1667615
Modified: tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/CorsFilter.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/CorsFilter.java?rev=1667617&r1=1667616&r2=1667617&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/CorsFilter.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/filters/CorsFilter.java Wed Mar 18 21:16:26 2015
@@ -620,6 +620,8 @@ public final class CorsFilter implements
requestType = CORSRequestType.INVALID_CORS;
} else if (!isValidOrigin(originHeader)) {
requestType = CORSRequestType.INVALID_CORS;
+ } else if (isLocalOrigin(request, originHeader)) {
+ return CORSRequestType.NOT_CORS;
} else {
String method = request.getMethod();
if (method != null) {
@@ -661,6 +663,36 @@ public final class CorsFilter implements
}
+ private boolean isLocalOrigin(HttpServletRequest request, String origin) {
+
+ // Build scheme://host:port from request
+ StringBuilder target = new StringBuilder();
+ String scheme = request.getScheme();
+ if (scheme == null) {
+ return false;
+ } else {
+ scheme = scheme.toLowerCase(Locale.ENGLISH);
+ }
+ target.append(scheme);
+ target.append("://");
+
+ String host = request.getServerName();
+ if (host == null) {
+ return false;
+ }
+ target.append(host);
+
+ int port = request.getServerPort();
+ if ("http".equals(scheme) && port != 80 ||
+ "https".equals(scheme) && port != 443) {
+ target.append(':');
+ target.append(port);
+ }
+
+ return origin.equalsIgnoreCase(target.toString());
+ }
+
+
/*
* Return the lower case, trimmed value of the media type from the content
* type.
Modified: tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TestCorsFilter.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TestCorsFilter.java?rev=1667617&r1=1667616&r2=1667617&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TestCorsFilter.java (original)
+++ tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TestCorsFilter.java Wed Mar 18 21:16:26 2015
@@ -520,6 +520,85 @@ public class TestCorsFilter {
CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
}
+ /*
+ * Negative test, when a non-CORS request arrives, with an origin header.
+ */
+ @Test
+ public void testDoFilterSameHostWithOrigin01() throws IOException, ServletException {
+ doTestDoFilterSameHostWithOrigin01(
+ "http://localhost:8080", "http", "localhost", 8080, false);
+ }
+
+ @Test
+ public void testDoFilterSameHostWithOrigin02() throws IOException, ServletException {
+ doTestDoFilterSameHostWithOrigin01(
+ "http://localhost:8080", "https", "localhost", 8080, true);
+ }
+
+ @Test
+ public void testDoFilterSameHostWithOrigin03() throws IOException, ServletException {
+ doTestDoFilterSameHostWithOrigin01(
+ "http://localhost:8080", "http", "localhost", 8081, true);
+ }
+
+ @Test
+ public void testDoFilterSameHostWithOrigin04() throws IOException, ServletException {
+ doTestDoFilterSameHostWithOrigin01(
+ "http://localhost:8080", "http", "foo.dev.local", 8080, true);
+ }
+
+ @Test
+ public void testDoFilterSameHostWithOrigin05() throws IOException, ServletException {
+ doTestDoFilterSameHostWithOrigin01(
+ "https://localhost:8443", "https", "localhost", 8443, false);
+ }
+
+ @Test
+ public void testDoFilterSameHostWithOrigin06() throws IOException, ServletException {
+ doTestDoFilterSameHostWithOrigin01(
+ "https://localhost", "https", "localhost", 443, false);
+ }
+
+ @Test
+ public void testDoFilterSameHostWithOrigin07() throws IOException, ServletException {
+ doTestDoFilterSameHostWithOrigin01(
+ "http://localhost", "http", "localhost", 80, false);
+ }
+
+ private void doTestDoFilterSameHostWithOrigin01(String origin, String scheme, String host,
+ int port, boolean isCors) throws IOException, ServletException {
+
+ TesterHttpServletRequest request = new TesterHttpServletRequest();
+
+ request.setMethod("POST");
+ request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, origin);
+ request.setScheme(scheme);
+ request.setServerName(host);
+ request.setServerPort(port);
+ request.setContentType("text/plain");
+ TesterHttpServletResponse response = new TesterHttpServletResponse();
+
+ CorsFilter corsFilter = new CorsFilter();
+ corsFilter.init(TesterFilterConfigs.getDefaultFilterConfig());
+ CorsFilter.CORSRequestType requestType =
+ corsFilter.checkRequestType(request);
+ if (isCors) {
+ Assert.assertNotEquals(CorsFilter.CORSRequestType.NOT_CORS, requestType);
+ } else {
+ Assert.assertEquals(CorsFilter.CORSRequestType.NOT_CORS, requestType);
+ }
+
+ corsFilter.doFilter(request, response, filterChain);
+
+ if (isCors) {
+ Assert.assertTrue(((Boolean) request.getAttribute(
+ CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
+ } else {
+ Assert.assertFalse(((Boolean) request.getAttribute(
+ CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue());
+ }
+ }
+
@Test
public void testDoFilterInvalidCORSOriginNotAllowed() throws IOException,
ServletException {
Modified: tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TesterHttpServletRequest.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TesterHttpServletRequest.java?rev=1667617&r1=1667616&r2=1667617&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TesterHttpServletRequest.java (original)
+++ tomcat/tc8.0.x/trunk/test/org/apache/catalina/filters/TesterHttpServletRequest.java Wed Mar 18 21:16:26 2015
@@ -49,6 +49,9 @@ public class TesterHttpServletRequest im
private Map<String, Object> attributes = new HashMap<>();
private Map<String, List<String>> headers = new HashMap<>();
private String method;
+ private String scheme;
+ private String serverName;
+ private int serverPort;
private String contentType;
@Override
@@ -126,20 +129,30 @@ public class TesterHttpServletRequest im
@Override
public String getScheme() {
+ return scheme;
+ }
- throw new RuntimeException("Not implemented");
+ public void setScheme(String scheme) {
+ this.scheme = scheme;
}
@Override
public String getServerName() {
+ return serverName;
+ }
- throw new RuntimeException("Not implemented");
+ public void setServerName(String serverName) {
+ this.serverName = serverName;
}
+
@Override
public int getServerPort() {
+ return serverPort;
+ }
- throw new RuntimeException("Not implemented");
+ public void setServerPort(int serverPort) {
+ this.serverPort = serverPort;
}
@Override
@@ -208,7 +221,6 @@ public class TesterHttpServletRequest im
@Override
public String getLocalName() {
-
throw new RuntimeException("Not implemented");
}
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1667617&r1=1667616&r2=1667617&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Wed Mar 18 21:16:26 2015
@@ -132,6 +132,10 @@
Refactor Authenticator implementations to reduce code duplication.
(markt)
</scode>
+ <fix>
+ <bug>57724</bug>: Handle the case in the CORS filter where a user agent
+ includes an origin header for a non-CORS request. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org