@@ -, +, @@ --- java/org/apache/catalina/filters/CorsFilter.java | 6 ++ .../apache/catalina/filters/TestCorsFilter.java | 74 +++++++++++++++++++++- .../catalina/filters/TesterFilterConfigs.java | 18 ++++++ 3 files changed, 96 insertions(+), 2 deletions(-) --- a/java/org/apache/catalina/filters/CorsFilter.java +++ a/java/org/apache/catalina/filters/CorsFilter.java @@ -800,6 +800,7 @@ public final class CorsFilter implements Filter { * Checks if a given origin is valid or not. Criteria: * * @@ -812,6 +813,11 @@ public final class CorsFilter implements Filter { return false; } + // "null" is a valid origin + if ("null".equals(origin)) { + return true; + } + URI originURI; try { --- a/test/org/apache/catalina/filters/TestCorsFilter.java +++ a/test/org/apache/catalina/filters/TestCorsFilter.java @@ -497,10 +497,10 @@ public class TestCorsFilter { } /* - * Negative test, when a CORS request arrives, with a null origin. + * Negative test, when a CORS request arrives, with no origin header. */ @Test - public void testDoFilterNullOrigin() throws IOException, ServletException { + public void testDoFilterNoOrigin() throws IOException, ServletException { TesterHttpServletRequest request = new TesterHttpServletRequest(); request.setMethod("POST"); @@ -536,6 +536,58 @@ public class TestCorsFilter { response.getStatus()); } + /* + * A CORS request arrives with a "null" origin which is allowed by default. + */ + @Test + public void testDoFilterNullOriginAllowedByDefault() throws IOException, + ServletException { + TesterHttpServletRequest request = new TesterHttpServletRequest(); + + request.setMethod("POST"); + request.setContentType("text/plain"); + request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null"); + TesterHttpServletResponse response = new TesterHttpServletResponse(); + + CorsFilter corsFilter = new CorsFilter(); + corsFilter.init(TesterFilterConfigs.getDefaultFilterConfig()); + CorsFilter.CORSRequestType requestType = + corsFilter.checkRequestType(request); + Assert.assertEquals(CorsFilter.CORSRequestType.SIMPLE, requestType); + + corsFilter.doFilter(request, response, filterChain); + + Assert.assertTrue(((Boolean) request.getAttribute( + CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue()); + } + + /* + * A CORS request arrives with a "null" origin which is explicitly allowed + * by configuration. + */ + @Test + public void testDoFilterNullOriginAllowedByConfiguration() throws + IOException, ServletException { + TesterHttpServletRequest request = new TesterHttpServletRequest(); + + request.setMethod("POST"); + request.setContentType("text/plain"); + request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null"); + TesterHttpServletResponse response = new TesterHttpServletResponse(); + + CorsFilter corsFilter = new CorsFilter(); + corsFilter.init( + TesterFilterConfigs.getFilterConfigSpecificOriginNullAllowed()); + CorsFilter.CORSRequestType requestType = + corsFilter.checkRequestType(request); + Assert.assertEquals(CorsFilter.CORSRequestType.SIMPLE, requestType); + + corsFilter.doFilter(request, response, filterChain); + + Assert.assertTrue(((Boolean) request.getAttribute( + CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue()); + } + @Test(expected = ServletException.class) public void testDoFilterNullRequestNullResponse() throws IOException, ServletException { @@ -1035,6 +1087,24 @@ public class TestCorsFilter { Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus()); } + + /* + * Tests for failure, when the 'null' origin is used, and it's not in the + * list of allowed origins. + */ + @Test + public void testCheckNullOriginNotAllowed() throws ServletException, + IOException { + TesterHttpServletRequest request = new TesterHttpServletRequest(); + TesterHttpServletResponse response = new TesterHttpServletResponse(); + request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null"); + request.setMethod("GET"); + CorsFilter corsFilter = new CorsFilter(); + corsFilter.init(TesterFilterConfigs.getSpecificOriginFilterConfig()); + corsFilter.doFilter(request, response, filterChain); + Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN, + response.getStatus()); + } /* * Tests for failure, when a different sub-domain is used, that's not in the --- a/test/org/apache/catalina/filters/TesterFilterConfigs.java +++ a/test/org/apache/catalina/filters/TesterFilterConfigs.java @@ -106,6 +106,24 @@ public class TesterFilterConfigs { preflightMaxAge, decorateRequest); } + public static FilterConfig getFilterConfigSpecificOriginNullAllowed() { + final String allowedHttpHeaders = + CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS; + final String allowedHttpMethods = + CorsFilter.DEFAULT_ALLOWED_HTTP_METHODS; + final String allowedOrigins = HTTP_TOMCAT_APACHE_ORG + ",null"; + final String exposedHeaders = CorsFilter.DEFAULT_EXPOSED_HEADERS; + final String supportCredentials = + CorsFilter.DEFAULT_SUPPORTS_CREDENTIALS; + final String preflightMaxAge = + CorsFilter.DEFAULT_PREFLIGHT_MAXAGE; + final String decorateRequest = CorsFilter.DEFAULT_DECORATE_REQUEST; + + return generateFilterConfig(allowedHttpHeaders, allowedHttpMethods, + allowedOrigins, exposedHeaders, supportCredentials, + preflightMaxAge, decorateRequest); + } + public static FilterConfig getFilterConfigWithExposedHeaders() { final String allowedHttpHeaders = CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS; --