Avoid stacktrace for invalid Origin header values

This commit adds support for origins with a trailing slash or a path, in order to avoid printing a stacktrace in the logs when WebUtils#isSameOrigin(HttpRequest) parses such invalid Origin header value. Issue: SPR-13478

Avoid stacktrace for invalid Origin header values
This commit adds support for origins with a trailing slash or a path, in order to avoid printing a stacktrace in the logs when WebUtils#isSameOrigin(HttpRequest) parses such invalid Origin header value. Issue: SPR-13478
9c66dfa7 · Sebastien Deleuze · 3dcf8c17 · 9c66dfa7 · 9c66dfa7
2 changed file
--- a/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java
+++ b/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java
@@ -339,6 +339,7 @@ public class UriComponentsBuilder implements Cloneable {
 	/**
 	 * Create an instance by parsing the "origin" header of an HTTP request.
+	 * @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454</a>
 	 */
 	public static UriComponentsBuilder fromOriginHeader(String origin) {
 		UriComponentsBuilder builder = UriComponentsBuilder.newInstance();
@@ -347,6 +348,11 @@ public class UriComponentsBuilder implements Cloneable {
 			String schema = (schemaIdx != -1 ? origin.substring(0, schemaIdx) : "http");
 			builder.scheme(schema);
 			String hostString = (schemaIdx != -1 ? origin.substring(schemaIdx + 3) : origin);
+			// Handling of invalid origins as described in SPR-13478
+			int firstSlashIdx = hostString.indexOf("/");
+			if (firstSlashIdx != -1) {
+				hostString = hostString.substring(0, firstSlashIdx);
+			}
 			if (hostString.contains(":")) {
 				String[] hostAndPort = StringUtils.split(hostString, ":");
 				builder.host(hostAndPort[0]);

--- a/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
+++ b/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
@@ -132,6 +132,16 @@ public class WebUtilsTests {
 		assertFalse(checkSameOrigin("mydomain1.com", -1, "http://mydomain2.com"));
 		assertFalse(checkSameOrigin("mydomain1.com", -1, "https://mydomain1.com"));
 		assertFalse(checkSameOrigin("mydomain1.com", -1, "invalid-origin"));
+		// Handling of invalid origins as described in SPR-13478
+		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/"));
+		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/"));
+		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com/path"));
+		assertTrue(checkSameOrigin("mydomain1.com", -1, "http://mydomain1.com:80/path"));
+		assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/"));
+		assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/"));
+		assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com/path"));
+		assertFalse(checkSameOrigin("mydomain2.com", -1, "http://mydomain1.com:80/path"));
 	}