Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix AllowedOrigins according to RFC 6454 #875

Closed
wants to merge 5 commits into from
Closed

Fix AllowedOrigins according to RFC 6454 #875

wants to merge 5 commits into from

Conversation

GeorgeCGV
Copy link

  • Transformation of the origin into uri components used
    to fail with a NumberFormatException when origin string
    contained a character after the port definition like [port]/.
    • The slash straight after the port will ruin the integer parsing.
      DefaultCorsProcessor.processRequest will fail during call to WebUtils.isSameOrigin.
  • Origin validity check was considering
    'http://domain1.com' and 'http://domain1.com/' to be different. The same applies to allowed origins comparison. This doesn't meet RFC 6454 standard.

3.2.1. Examples

All of the following resources have the same origin:

http://example.com/
http://example.com:80/
http://example.com/path/file

Notes

  1. In order to improve performance the allowedOrigins collection can convert provided Strings directly to UriComponents or parsing for the header origin and allowedOrigins can be further simplified.
  2. I'm not totally sure about UriComponentsBuilder.fromHttpRequest but based on the code it may fail the same way as UriComponentsBuilder fromOriginHeader did. It depends what value can be stored in X-Forwarded-Host.

Issue: Nothing has been reported so far. However, the issue becomes noticeable: SocketRocket

I have signed and agree to the terms of the SpringSource Individual
Contributor License Agreement.

@GeorgeCGV
Fix AllowedOrigins according to RFC 6454
4ca174d 
Improved request origin check against allowed origins.
Transformation of the origin into uri components used
to fail with a 'NumberFormatException' when origin string
contained '[port]/' at the end.
Furthermore, check for valid origin was considering
'http://domain1.com' and 'http://domain1.com/' as
different origins. The same applies to comparison
against specified allowed origins. This doesn't meet
RFC 6454 standard.

- 'NumberFormatException' fix
- Origin validity and similarity checks fix
@GeorgeCGV GeorgeCGV mentioned this pull request Sep 18, 2015
Closed
@GeorgeCGV
Added missing origin string length check
c7145f8
@GeorgeCGV
Fix for origin comparison
490b9ed 
 - Fix NullPointerException in origin comparison
 - Add more tests with respect to RFC 6454
@rstoyanchev
Copy link
Contributor

Thanks for the pull request. Would you mind creating a ticket in our JIRA issuer tracker?

@GeorgeCGV
Copy link
Author

@rstoyanchev sure, here we go: Jira Issue - SPR-13478.

@sdeleuze sdeleuze self-assigned this Sep 22, 2015
@sdeleuze
Copy link
Contributor

Resolved by this commit, so I close this PR. Thanks for raising this issue.

@sdeleuze sdeleuze closed this Sep 28, 2015
@spring-projects-issues spring-projects-issues mentioned this pull request Jan 11, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@sdeleuze sdeleuze

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@GeorgeCGV @rstoyanchev @sdeleuze