Reject invalid forwarded headers

Issue: SPR-16660

Reject invalid forwarded headers
Issue: SPR-16660
a546cf0a · Rossen Stoyanchev · 5fb4c825 · a546cf0a
显示空白变更内容
内联并排

Showing with 32 addition and 25 deletion

spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java ...va/org/springframework/web/util/UriComponentsBuilder.java +32 -25

未找到文件。
--- a/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java
+++ b/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java
@@ -729,6 +729,7 @@ public class UriComponentsBuilder implements UriBuilder, Cloneable {
 	 * @since 4.2.7
 	 */
 	UriComponentsBuilder adaptFromForwardedHeaders(HttpHeaders headers) {
+		try {
 			String forwardedHeader = headers.getFirst("Forwarded");
 			if (StringUtils.hasText(forwardedHeader)) {
 				String forwardedToUse = StringUtils.tokenizeToStringArray(forwardedHeader, ",")[0];
@@ -759,6 +760,12 @@ public class UriComponentsBuilder implements UriBuilder, Cloneable {
 					port(Integer.parseInt(StringUtils.tokenizeToStringArray(portHeader, ",")[0]));
 				}
 			}
+		}
+		catch (NumberFormatException ex) {
+			throw new IllegalArgumentException("Failed to parse a port from \"forwarded\"-type headers. " +
+					"If not behind a trusted proxy, consider using ForwardedHeaderFilter " +
+					"with the removeOnly=true. Request headers: " + headers);
+		}

 		if (this.scheme != null && ((this.scheme.equals("http") && "80".equals(this.port)) ||
 				(this.scheme.equals("https") && "443".equals(this.port)))) {