Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
爱吃血肠
spring-framework
提交
896eb568
S
spring-framework
项目概览
爱吃血肠
/
spring-framework
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
S
spring-framework
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
896eb568
编写于
8月 08, 2018
作者:
S
Sebastien Deleuze
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Check scheme in (WebUtils|CorsUtils)#isSameOrigin
Issue: SPR-16362
上级
7e9b7102
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
43 addition
and
28 deletion
+43
-28
spring-web/src/main/java/org/springframework/web/cors/reactive/CorsUtils.java
...java/org/springframework/web/cors/reactive/CorsUtils.java
+4
-1
spring-web/src/main/java/org/springframework/web/util/WebUtils.java
.../src/main/java/org/springframework/web/util/WebUtils.java
+2
-1
spring-web/src/test/java/org/springframework/web/cors/reactive/CorsUtilsTests.java
...org/springframework/web/cors/reactive/CorsUtilsTests.java
+9
-0
spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
...test/java/org/springframework/web/util/WebUtilsTests.java
+28
-26
未找到文件。
spring-web/src/main/java/org/springframework/web/cors/reactive/CorsUtils.java
浏览文件 @
896eb568
...
@@ -69,13 +69,16 @@ public abstract class CorsUtils {
...
@@ -69,13 +69,16 @@ public abstract class CorsUtils {
}
}
URI
uri
=
request
.
getURI
();
URI
uri
=
request
.
getURI
();
String
actualScheme
=
uri
.
getScheme
();
String
actualHost
=
uri
.
getHost
();
String
actualHost
=
uri
.
getHost
();
int
actualPort
=
getPort
(
uri
.
getScheme
(),
uri
.
getPort
());
int
actualPort
=
getPort
(
uri
.
getScheme
(),
uri
.
getPort
());
Assert
.
notNull
(
actualScheme
,
"Actual request scheme must not be null"
);
Assert
.
notNull
(
actualHost
,
"Actual request host must not be null"
);
Assert
.
notNull
(
actualHost
,
"Actual request host must not be null"
);
Assert
.
isTrue
(
actualPort
!=
-
1
,
"Actual request port must not be undefined"
);
Assert
.
isTrue
(
actualPort
!=
-
1
,
"Actual request port must not be undefined"
);
UriComponents
originUrl
=
UriComponentsBuilder
.
fromOriginHeader
(
origin
).
build
();
UriComponents
originUrl
=
UriComponentsBuilder
.
fromOriginHeader
(
origin
).
build
();
return
(
actualHost
.
equals
(
originUrl
.
getHost
())
&&
return
(
actualScheme
.
equals
(
originUrl
.
getScheme
())
&&
actualHost
.
equals
(
originUrl
.
getHost
())
&&
actualPort
==
getPort
(
originUrl
.
getScheme
(),
originUrl
.
getPort
()));
actualPort
==
getPort
(
originUrl
.
getScheme
(),
originUrl
.
getPort
()));
}
}
...
...
spring-web/src/main/java/org/springframework/web/util/WebUtils.java
浏览文件 @
896eb568
...
@@ -813,7 +813,8 @@ public abstract class WebUtils {
...
@@ -813,7 +813,8 @@ public abstract class WebUtils {
}
}
UriComponents
originUrl
=
UriComponentsBuilder
.
fromOriginHeader
(
origin
).
build
();
UriComponents
originUrl
=
UriComponentsBuilder
.
fromOriginHeader
(
origin
).
build
();
return
(
ObjectUtils
.
nullSafeEquals
(
host
,
originUrl
.
getHost
())
&&
return
(
ObjectUtils
.
nullSafeEquals
(
scheme
,
originUrl
.
getScheme
())
&&
ObjectUtils
.
nullSafeEquals
(
host
,
originUrl
.
getHost
())
&&
getPort
(
scheme
,
port
)
==
getPort
(
originUrl
.
getScheme
(),
originUrl
.
getPort
()));
getPort
(
scheme
,
port
)
==
getPort
(
originUrl
.
getScheme
(),
originUrl
.
getPort
()));
}
}
...
...
spring-web/src/test/java/org/springframework/web/cors/reactive/CorsUtilsTests.java
浏览文件 @
896eb568
...
@@ -92,6 +92,15 @@ public class CorsUtilsTests {
...
@@ -92,6 +92,15 @@ public class CorsUtilsTests {
testWithForwardedHeader
(
server
,
123
,
"proto=https; host=mydomain2.com:456"
,
"https://mydomain2.com:456"
);
testWithForwardedHeader
(
server
,
123
,
"proto=https; host=mydomain2.com:456"
,
"https://mydomain2.com:456"
);
}
}
@Test
// SPR-16362
public
void
isSameOriginWithDifferentSchemes
()
{
MockServerHttpRequest
request
=
MockServerHttpRequest
.
get
(
"http://mydomain1.com"
)
.
header
(
HttpHeaders
.
ORIGIN
,
"https://mydomain1.com"
)
.
build
();
assertFalse
(
CorsUtils
.
isSameOrigin
(
request
));
}
private
void
testWithXForwardedHeaders
(
String
serverName
,
int
port
,
private
void
testWithXForwardedHeaders
(
String
serverName
,
int
port
,
String
forwardedProto
,
String
forwardedHost
,
int
forwardedPort
,
String
originHeader
)
{
String
forwardedProto
,
String
forwardedHost
,
int
forwardedPort
,
String
originHeader
)
{
...
...
spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
浏览文件 @
896eb568
...
@@ -105,39 +105,40 @@ public class WebUtilsTests {
...
@@ -105,39 +105,40 @@ public class WebUtilsTests {
@Test
@Test
public
void
isSameOrigin
()
{
public
void
isSameOrigin
()
{
assertTrue
(
checkSameOrigin
(
"mydomain1.com"
,
-
1
,
"http://mydomain1.com"
));
assertTrue
(
checkSameOrigin
(
"http"
,
"mydomain1.com"
,
-
1
,
"http://mydomain1.com"
));
assertTrue
(
checkSameOrigin
(
"mydomain1.com"
,
-
1
,
"http://mydomain1.com:80"
));
assertTrue
(
checkSameOrigin
(
"http"
,
"mydomain1.com"
,
-
1
,
"http://mydomain1.com:80"
));
assertTrue
(
checkSameOrigin
(
"mydomain1.com"
,
443
,
"https://mydomain1.com"
));
assertTrue
(
checkSameOrigin
(
"https"
,
"mydomain1.com"
,
443
,
"https://mydomain1.com"
));
assertTrue
(
checkSameOrigin
(
"mydomain1.com"
,
443
,
"https://mydomain1.com:443"
));
assertTrue
(
checkSameOrigin
(
"https"
,
"mydomain1.com"
,
443
,
"https://mydomain1.com:443"
));
assertTrue
(
checkSameOrigin
(
"mydomain1.com"
,
123
,
"http://mydomain1.com:123"
));
assertTrue
(
checkSameOrigin
(
"http"
,
"mydomain1.com"
,
123
,
"http://mydomain1.com:123"
));
assertTrue
(
checkSameOrigin
(
"mydomain1.com"
,
-
1
,
"ws://mydomain1.com"
));
assertTrue
(
checkSameOrigin
(
"ws"
,
"mydomain1.com"
,
-
1
,
"ws://mydomain1.com"
));
assertTrue
(
checkSameOrigin
(
"mydomain1.com"
,
443
,
"wss://mydomain1.com"
));
assertTrue
(
checkSameOrigin
(
"wss"
,
"mydomain1.com"
,
443
,
"wss://mydomain1.com"
));
assertFalse
(
checkSameOrigin
(
"mydomain1.com"
,
-
1
,
"http://mydomain2.com"
));
assertFalse
(
checkSameOrigin
(
"http"
,
"mydomain1.com"
,
-
1
,
"http://mydomain2.com"
));
assertFalse
(
checkSameOrigin
(
"mydomain1.com"
,
-
1
,
"https://mydomain1.com"
));
assertFalse
(
checkSameOrigin
(
"http"
,
"mydomain1.com"
,
-
1
,
"https://mydomain1.com"
));
assertFalse
(
checkSameOrigin
(
"mydomain1.com"
,
-
1
,
"invalid-origin"
));
assertFalse
(
checkSameOrigin
(
"http"
,
"mydomain1.com"
,
-
1
,
"invalid-origin"
));
assertFalse
(
checkSameOrigin
(
"https"
,
"mydomain1.com"
,
-
1
,
"http://mydomain1.com"
));
// Handling of invalid origins as described in SPR-13478
// Handling of invalid origins as described in SPR-13478
assertTrue
(
checkSameOrigin
(
"mydomain1.com"
,
-
1
,
"http://mydomain1.com/"
));
assertTrue
(
checkSameOrigin
(
"
http"
,
"
mydomain1.com"
,
-
1
,
"http://mydomain1.com/"
));
assertTrue
(
checkSameOrigin
(
"mydomain1.com"
,
-
1
,
"http://mydomain1.com:80/"
));
assertTrue
(
checkSameOrigin
(
"
http"
,
"
mydomain1.com"
,
-
1
,
"http://mydomain1.com:80/"
));
assertTrue
(
checkSameOrigin
(
"mydomain1.com"
,
-
1
,
"http://mydomain1.com/path"
));
assertTrue
(
checkSameOrigin
(
"
http"
,
"
mydomain1.com"
,
-
1
,
"http://mydomain1.com/path"
));
assertTrue
(
checkSameOrigin
(
"mydomain1.com"
,
-
1
,
"http://mydomain1.com:80/path"
));
assertTrue
(
checkSameOrigin
(
"
http"
,
"
mydomain1.com"
,
-
1
,
"http://mydomain1.com:80/path"
));
assertFalse
(
checkSameOrigin
(
"mydomain2.com"
,
-
1
,
"http://mydomain1.com/"
));
assertFalse
(
checkSameOrigin
(
"
http"
,
"
mydomain2.com"
,
-
1
,
"http://mydomain1.com/"
));
assertFalse
(
checkSameOrigin
(
"mydomain2.com"
,
-
1
,
"http://mydomain1.com:80/"
));
assertFalse
(
checkSameOrigin
(
"
http"
,
"
mydomain2.com"
,
-
1
,
"http://mydomain1.com:80/"
));
assertFalse
(
checkSameOrigin
(
"mydomain2.com"
,
-
1
,
"http://mydomain1.com/path"
));
assertFalse
(
checkSameOrigin
(
"
http"
,
"
mydomain2.com"
,
-
1
,
"http://mydomain1.com/path"
));
assertFalse
(
checkSameOrigin
(
"mydomain2.com"
,
-
1
,
"http://mydomain1.com:80/path"
));
assertFalse
(
checkSameOrigin
(
"
http"
,
"
mydomain2.com"
,
-
1
,
"http://mydomain1.com:80/path"
));
// Handling of IPv6 hosts as described in SPR-13525
// Handling of IPv6 hosts as described in SPR-13525
assertTrue
(
checkSameOrigin
(
"[::1]"
,
-
1
,
"http://[::1]"
));
assertTrue
(
checkSameOrigin
(
"
http"
,
"
[::1]"
,
-
1
,
"http://[::1]"
));
assertTrue
(
checkSameOrigin
(
"[::1]"
,
8080
,
"http://[::1]:8080"
));
assertTrue
(
checkSameOrigin
(
"
http"
,
"
[::1]"
,
8080
,
"http://[::1]:8080"
));
assertTrue
(
checkSameOrigin
(
assertTrue
(
checkSameOrigin
(
"http"
,
"[2001:0db8:0000:85a3:0000:0000:ac1f:8001]"
,
-
1
,
"[2001:0db8:0000:85a3:0000:0000:ac1f:8001]"
,
-
1
,
"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]"
));
"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]"
));
assertTrue
(
checkSameOrigin
(
assertTrue
(
checkSameOrigin
(
"http"
,
"[2001:0db8:0000:85a3:0000:0000:ac1f:8001]"
,
8080
,
"[2001:0db8:0000:85a3:0000:0000:ac1f:8001]"
,
8080
,
"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8080"
));
"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8080"
));
assertFalse
(
checkSameOrigin
(
"[::1]"
,
-
1
,
"http://[::1]:8080"
));
assertFalse
(
checkSameOrigin
(
"
http"
,
"
[::1]"
,
-
1
,
"http://[::1]:8080"
));
assertFalse
(
checkSameOrigin
(
"[::1]"
,
8080
,
assertFalse
(
checkSameOrigin
(
"
http"
,
"
[::1]"
,
8080
,
"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8080"
));
"http://[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8080"
));
}
}
...
@@ -175,9 +176,10 @@ public class WebUtilsTests {
...
@@ -175,9 +176,10 @@ public class WebUtilsTests {
return
WebUtils
.
isValidOrigin
(
request
,
allowed
);
return
WebUtils
.
isValidOrigin
(
request
,
allowed
);
}
}
private
boolean
checkSameOrigin
(
String
serverName
,
int
port
,
String
originHeader
)
{
private
boolean
checkSameOrigin
(
String
s
cheme
,
String
s
erverName
,
int
port
,
String
originHeader
)
{
MockHttpServletRequest
servletRequest
=
new
MockHttpServletRequest
();
MockHttpServletRequest
servletRequest
=
new
MockHttpServletRequest
();
ServerHttpRequest
request
=
new
ServletServerHttpRequest
(
servletRequest
);
ServerHttpRequest
request
=
new
ServletServerHttpRequest
(
servletRequest
);
servletRequest
.
setScheme
(
scheme
);
servletRequest
.
setServerName
(
serverName
);
servletRequest
.
setServerName
(
serverName
);
if
(
port
!=
-
1
)
{
if
(
port
!=
-
1
)
{
servletRequest
.
setServerPort
(
port
);
servletRequest
.
setServerPort
(
port
);
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录