Skip to content

Commit 7cc56e1

Browse files
sdeleuzesdeleuze
committed
Improve error handling in WebUtils.isValidOrigin()
With this commit, WebUtils.isValidOrigin() logs an error message instead of throwing an IllegalArgumentException when Origin header value is invalid (for example when it does not contain the scheme). Issue: SPR-12697
1 parent b5e8039 commit 7cc56e1

File tree

2 files changed

+17
-1
lines changed

2 files changed

+17
-1
lines changed

spring-web/src/main/java/org/springframework/web/util/WebUtils.java

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,9 @@
3333
import javax.servlet.http.HttpServletResponse;
3434
import javax.servlet.http.HttpSession;
3535

36+
import org.apache.commons.logging.Log;
37+
import org.apache.commons.logging.LogFactory;
38+
3639
import org.springframework.http.HttpRequest;
3740
import org.springframework.util.Assert;
3841
import org.springframework.util.LinkedMultiValueMap;
@@ -131,6 +134,8 @@ public abstract class WebUtils {
131134
/** Key for the mutex session attribute */
132135
public static final String SESSION_MUTEX_ATTRIBUTE = WebUtils.class.getName() + ".MUTEX";
133136

137+
private static final Log logger = LogFactory.getLog(WebUtils.class);
138+
134139

135140
/**
136141
* Set a system property to the web application root directory.
@@ -786,7 +791,14 @@ public static boolean isValidOrigin(HttpRequest request, Collection<String> allo
786791
return true;
787792
}
788793
else if (allowedOrigins.isEmpty()) {
789-
UriComponents originComponents = UriComponentsBuilder.fromHttpUrl(origin).build();
794+
UriComponents originComponents;
795+
try {
796+
originComponents = UriComponentsBuilder.fromHttpUrl(origin).build();
797+
}
798+
catch (IllegalArgumentException ex) {
799+
logger.error("Failed to parse Origin header value [" + origin + "]");
800+
return false;
801+
}
790802
UriComponents requestComponents = UriComponentsBuilder.fromHttpRequest(request).build();
791803
int originPort = getPort(originComponents);
792804
int requestPort = getPort(requestComponents);

spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -142,6 +142,10 @@ public void isValidOrigin() {
142142
request.getHeaders().set(HttpHeaders.ORIGIN, "https://mydomain1.com");
143143
assertFalse(WebUtils.isValidOrigin(request, allowedOrigins));
144144

145+
servletRequest.setServerName("invalid-origin");
146+
request.getHeaders().set(HttpHeaders.ORIGIN, "invalid-origin");
147+
assertFalse(WebUtils.isValidOrigin(request, allowedOrigins));
148+
145149
allowedOrigins = Arrays.asList("*");
146150
servletRequest.setServerName("mydomain1.com");
147151
request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain2.com");

0 commit comments

Comments
 (0)