Validate top-level SockJS URL

rstoyanchev · rstoyanchev · commit 8d17bcea5b06 · 2021-05-26T11:26:02.000+01:00
Closes gh-26933
diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java
@@ -398,6 +398,10 @@ public final void handleRequest(ServerHttpRequest request, ServerHttpResponse re
 				if (requestInfo != null) {
 					logger.debug("Processing transport request: " + requestInfo);
 				}
+				if ("websocket".equalsIgnoreCase(request.getHeaders().getUpgrade())) {
+					response.setStatusCode(HttpStatus.BAD_REQUEST);
+					return;
+				}
 				response.getHeaders().setContentType(new MediaType("text", "plain", StandardCharsets.UTF_8));
 				response.getBody().write("Welcome to SockJS!\n".getBytes(StandardCharsets.UTF_8));
 			}

Original file line number	Diff line number	Diff line change
`@@ -398,6 +398,10 @@ public final void handleRequest(ServerHttpRequest request, ServerHttpResponse re`
`398`	`398`	`if (requestInfo != null) {`
`399`	`399`	`logger.debug("Processing transport request: " + requestInfo);`
`400`	`400`	`}`
	`401`	`+ if ("websocket".equalsIgnoreCase(request.getHeaders().getUpgrade())) {`
	`402`	`+ response.setStatusCode(HttpStatus.BAD_REQUEST);`
	`403`	`+ return;`
	`404`	`+ }`
`401`	`405`	`response.getHeaders().setContentType(new MediaType("text", "plain", StandardCharsets.UTF_8));`
`402`	`406`	`response.getBody().write("Welcome to SockJS!\n".getBytes(StandardCharsets.UTF_8));`
`403`	`407`	`}`