Adding port check for Referer header

redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java

@@ -161,6 +161,7 @@ public class RequestValidationInterceptor extends AbstractInterceptor implements
     private boolean checkSourceRequestHeader(final URL targetUrl, final HttpServletRequest request) {
         boolean headerFound=false;
         String origin = request.getHeader(ORIGIN);
+        int targetPort = getPort(targetUrl);
         if (origin!=null) {
             try {
                 URL originUrl = new URL(origin);
@@ -175,7 +176,6 @@ public class RequestValidationInterceptor extends AbstractInterceptor implements
                     return false;
                 }
                 int originPort = getPort(originUrl);
-                int targetPort = getPort(targetUrl);
                 if (targetPort != originPort) {
                     log.warn("Origin Header Port does not match originUrl={}, targetUrl={}",originUrl,targetUrl);
                     return false;
@@ -195,6 +195,11 @@ public class RequestValidationInterceptor extends AbstractInterceptor implements
                     log.warn("Referer Header Host does not match refererUrl={}, targetUrl={}",refererUrl,targetUrl);
                     return false;
                 }
+                int refererPort = getPort(refererUrl);
+                if (targetPort != refererPort) {
+                    log.warn("Referer Header Port does not match refererUrl={}, targetUrl={}",refererUrl,targetUrl);
+                    return false;
+                }
             } catch (MalformedURLException ex) {
                 log.warn("Bad URL in Referer HTTP-Header: {}, Message: {}", referer, ex.getMessage());
                 return false;

redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/AbstractRestServicesTest.java

@@ -158,6 +158,7 @@ public abstract class AbstractRestServicesTest
 
     protected UserService getUserService()
     {
+
         return getUserService( null );
     }
 
@@ -175,7 +176,7 @@ public abstract class AbstractRestServicesTest
         {
             WebClient.client( service ).header( "Authorization", authzHeader );
         }
-        WebClient.client(service).header("Referer","http://localhost");
+        WebClient.client(service).header("Referer","http://localhost:"+port);
         WebClient.client( service ).accept( MediaType.APPLICATION_JSON_TYPE );
         WebClient.client( service ).type( MediaType.APPLICATION_JSON_TYPE );
 
@@ -197,8 +198,7 @@ public abstract class AbstractRestServicesTest
         {
             WebClient.client( service ).header( "Authorization", authzHeader );
         }
-        WebClient.client( service ).header("Referer","http://localhost/");
+        WebClient.client(service).header("Referer","http://localhost:"+port);
-
 
         WebClient.client( service ).accept( MediaType.APPLICATION_JSON_TYPE );
         WebClient.client( service ).type( MediaType.APPLICATION_JSON_TYPE );
@@ -219,7 +219,7 @@ public abstract class AbstractRestServicesTest
         {
             WebClient.client( service ).header( "Authorization", authzHeader );
         }
-        WebClient.client( service ).header("Referer","http://localhost/");
+        WebClient.client(service).header("Referer","http://localhost:"+port);
 
         WebClient.client( service ).accept( MediaType.APPLICATION_JSON_TYPE );
         WebClient.client( service ).type( MediaType.APPLICATION_JSON_TYPE );
@@ -242,7 +242,7 @@ public abstract class AbstractRestServicesTest
         {
             WebClient.client( service ).header( "Authorization", authzHeader );
         }
-        WebClient.client( service ).header("Referer","http://localhost/");
+        WebClient.client(service).header("Referer","http://localhost:"+port);
 
         WebClient.client( service ).accept( MediaType.APPLICATION_JSON_TYPE );
         WebClient.client( service ).type( MediaType.APPLICATION_JSON_TYPE );