Skip to content

Commit

Permalink
[RESTEASY-1704] CVE-2017-7561 resteasy: Vary header not added by CORS…
Browse files Browse the repository at this point in the history 
… filter leading to cache poisoning
  • Loading branch information
@yersan @asoldano
yersan authored and asoldano committed Nov 7, 2017
1 parent 38dcb6a commit fd66aad
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 0 deletions.
2 changes: 2 additions & 0 deletions resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/interceptors/CorsFilter.java
View file
Expand Up @@ -147,6 +147,7 @@ public void filter(ContainerRequestContext requestContext, ContainerResponseCont
return;
}
responseContext.getHeaders().putSingle(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
responseContext.getHeaders().putSingle(CorsHeaders.VARY, CorsHeaders.ORIGIN);
if (allowCredentials) responseContext.getHeaders().putSingle(CorsHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");

if (exposedHeaders != null) {
Expand All @@ -161,6 +162,7 @@ protected void preflight(String origin, ContainerRequestContext requestContext)

Response.ResponseBuilder builder = Response.ok();
builder.header(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
builder.header(CorsHeaders.VARY, CorsHeaders.ORIGIN);
if (allowCredentials) builder.header(CorsHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
String requestMethods = requestContext.getHeaderString(CorsHeaders.ACCESS_CONTROL_REQUEST_METHOD);
if (requestMethods != null)
Expand Down
1 change: 1 addition & 0 deletions resteasy-jaxrs/src/main/java/org/jboss/resteasy/spi/CorsHeaders.java
View file
Expand Up @@ -15,4 +15,5 @@ public class CorsHeaders
public static final String ACCESS_CONTROL_REQUEST_METHOD = "Access-Control-Request-Method";
public static final String ACCESS_CONTROL_EXPOSE_HEADERS = "Access-Control-Expose-Headers";
public static final String ACCESS_CONTROL_REQUEST_HEADERS = "Access-Control-Request-Headers";
public static final String VARY = "Vary";
}

0 comments on commit fd66aad

Please sign in to comment.