ASF Bugzilla – Attachment 32389 Details for
Bug 57178
Add CorsFilter configuration option to allow requests with Origin "null"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Simplified patch for Bug#57178
0001-57178-Allow-CORS-requests-with-Origin-header-value-n.patch (text/plain), 7.03 KB, created by
Gregor Zurowski
on 2015-01-22 03:04:57 UTC
(
hide
)
Description:
Simplified patch for Bug#57178
Filename:
MIME Type:
Creator:
Gregor Zurowski
Created:
2015-01-22 03:04:57 UTC
Size:
7.03 KB
patch
obsolete
>From 017943fe31eb397c729fccc47d1c8659285eabd7 Mon Sep 17 00:00:00 2001 >From: Gregor Zurowski <gregor.zurowski@sothebys.com> >Date: Wed, 21 Jan 2015 16:57:51 -0500 >Subject: [PATCH] #57178: Allow CORS requests with Origin header value "null" > >Signed-off-by: Gregor Zurowski gregor@zurowski.org >--- > java/org/apache/catalina/filters/CorsFilter.java | 6 ++ > .../apache/catalina/filters/TestCorsFilter.java | 74 +++++++++++++++++++++- > .../catalina/filters/TesterFilterConfigs.java | 18 ++++++ > 3 files changed, 96 insertions(+), 2 deletions(-) > >diff --git a/java/org/apache/catalina/filters/CorsFilter.java b/java/org/apache/catalina/filters/CorsFilter.java >index 4db5f41..e477f03 100644 >--- a/java/org/apache/catalina/filters/CorsFilter.java >+++ b/java/org/apache/catalina/filters/CorsFilter.java >@@ -800,6 +800,7 @@ public final class CorsFilter implements Filter { > * Checks if a given origin is valid or not. Criteria: > * <ul> > * <li>If an encoded character is present in origin, it's not valid.</li> >+ * <li>If origin is "null", it's valid.</li> > * <li>Origin should be a valid {@link URI}</li> > * </ul> > * >@@ -812,6 +813,11 @@ public final class CorsFilter implements Filter { > return false; > } > >+ // "null" is a valid origin >+ if ("null".equals(origin)) { >+ return true; >+ } >+ > URI originURI; > > try { >diff --git a/test/org/apache/catalina/filters/TestCorsFilter.java b/test/org/apache/catalina/filters/TestCorsFilter.java >index 83aa719..614af50 100644 >--- a/test/org/apache/catalina/filters/TestCorsFilter.java >+++ b/test/org/apache/catalina/filters/TestCorsFilter.java >@@ -497,10 +497,10 @@ public class TestCorsFilter { > } > > /* >- * Negative test, when a CORS request arrives, with a null origin. >+ * Negative test, when a CORS request arrives, with no origin header. > */ > @Test >- public void testDoFilterNullOrigin() throws IOException, ServletException { >+ public void testDoFilterNoOrigin() throws IOException, ServletException { > TesterHttpServletRequest request = new TesterHttpServletRequest(); > > request.setMethod("POST"); >@@ -536,6 +536,58 @@ public class TestCorsFilter { > response.getStatus()); > } > >+ /* >+ * A CORS request arrives with a "null" origin which is allowed by default. >+ */ >+ @Test >+ public void testDoFilterNullOriginAllowedByDefault() throws IOException, >+ ServletException { >+ TesterHttpServletRequest request = new TesterHttpServletRequest(); >+ >+ request.setMethod("POST"); >+ request.setContentType("text/plain"); >+ request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null"); >+ TesterHttpServletResponse response = new TesterHttpServletResponse(); >+ >+ CorsFilter corsFilter = new CorsFilter(); >+ corsFilter.init(TesterFilterConfigs.getDefaultFilterConfig()); >+ CorsFilter.CORSRequestType requestType = >+ corsFilter.checkRequestType(request); >+ Assert.assertEquals(CorsFilter.CORSRequestType.SIMPLE, requestType); >+ >+ corsFilter.doFilter(request, response, filterChain); >+ >+ Assert.assertTrue(((Boolean) request.getAttribute( >+ CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue()); >+ } >+ >+ /* >+ * A CORS request arrives with a "null" origin which is explicitly allowed >+ * by configuration. >+ */ >+ @Test >+ public void testDoFilterNullOriginAllowedByConfiguration() throws >+ IOException, ServletException { >+ TesterHttpServletRequest request = new TesterHttpServletRequest(); >+ >+ request.setMethod("POST"); >+ request.setContentType("text/plain"); >+ request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null"); >+ TesterHttpServletResponse response = new TesterHttpServletResponse(); >+ >+ CorsFilter corsFilter = new CorsFilter(); >+ corsFilter.init( >+ TesterFilterConfigs.getFilterConfigSpecificOriginNullAllowed()); >+ CorsFilter.CORSRequestType requestType = >+ corsFilter.checkRequestType(request); >+ Assert.assertEquals(CorsFilter.CORSRequestType.SIMPLE, requestType); >+ >+ corsFilter.doFilter(request, response, filterChain); >+ >+ Assert.assertTrue(((Boolean) request.getAttribute( >+ CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST)).booleanValue()); >+ } >+ > @Test(expected = ServletException.class) > public void testDoFilterNullRequestNullResponse() throws IOException, > ServletException { >@@ -1035,6 +1087,24 @@ public class TestCorsFilter { > Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN, > response.getStatus()); > } >+ >+ /* >+ * Tests for failure, when the 'null' origin is used, and it's not in the >+ * list of allowed origins. >+ */ >+ @Test >+ public void testCheckNullOriginNotAllowed() throws ServletException, >+ IOException { >+ TesterHttpServletRequest request = new TesterHttpServletRequest(); >+ TesterHttpServletResponse response = new TesterHttpServletResponse(); >+ request.setHeader(CorsFilter.REQUEST_HEADER_ORIGIN, "null"); >+ request.setMethod("GET"); >+ CorsFilter corsFilter = new CorsFilter(); >+ corsFilter.init(TesterFilterConfigs.getSpecificOriginFilterConfig()); >+ corsFilter.doFilter(request, response, filterChain); >+ Assert.assertEquals(HttpServletResponse.SC_FORBIDDEN, >+ response.getStatus()); >+ } > > /* > * Tests for failure, when a different sub-domain is used, that's not in the >diff --git a/test/org/apache/catalina/filters/TesterFilterConfigs.java b/test/org/apache/catalina/filters/TesterFilterConfigs.java >index 32e87c3..28b8ac4 100644 >--- a/test/org/apache/catalina/filters/TesterFilterConfigs.java >+++ b/test/org/apache/catalina/filters/TesterFilterConfigs.java >@@ -106,6 +106,24 @@ public class TesterFilterConfigs { > preflightMaxAge, decorateRequest); > } > >+ public static FilterConfig getFilterConfigSpecificOriginNullAllowed() { >+ final String allowedHttpHeaders = >+ CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS; >+ final String allowedHttpMethods = >+ CorsFilter.DEFAULT_ALLOWED_HTTP_METHODS; >+ final String allowedOrigins = HTTP_TOMCAT_APACHE_ORG + ",null"; >+ final String exposedHeaders = CorsFilter.DEFAULT_EXPOSED_HEADERS; >+ final String supportCredentials = >+ CorsFilter.DEFAULT_SUPPORTS_CREDENTIALS; >+ final String preflightMaxAge = >+ CorsFilter.DEFAULT_PREFLIGHT_MAXAGE; >+ final String decorateRequest = CorsFilter.DEFAULT_DECORATE_REQUEST; >+ >+ return generateFilterConfig(allowedHttpHeaders, allowedHttpMethods, >+ allowedOrigins, exposedHeaders, supportCredentials, >+ preflightMaxAge, decorateRequest); >+ } >+ > public static FilterConfig getFilterConfigWithExposedHeaders() { > final String allowedHttpHeaders = > CorsFilter.DEFAULT_ALLOWED_HTTP_HEADERS; >-- >2.1.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=32389">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 57178
:
32185
| 32389