Apache
/
archiva-redback-core
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adding port check for Referer header

This commit is contained in:
Martin Stockhammer 2017-01-30 22:42:33 +01:00
parent 95f1b3e430
commit e9bc481884
2 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java
View File

@ -161,6 +161,7 @@ public class RequestValidationInterceptor extends AbstractInterceptor implements
private boolean checkSourceRequestHeader(final URL targetUrl, final HttpServletRequest request) {
boolean headerFound=false;
String origin = request.getHeader(ORIGIN);
int targetPort = getPort(targetUrl);
if (origin!=null) {
try {
URL originUrl = new URL(origin);
@ -175,7 +176,6 @@ public class RequestValidationInterceptor extends AbstractInterceptor implements
return false;
}
int originPort = getPort(originUrl);
int targetPort = getPort(targetUrl);
if (targetPort != originPort) {
log.warn("Origin Header Port does not match originUrl={}, targetUrl={}",originUrl,targetUrl);
return false;
@ -195,6 +195,11 @@ public class RequestValidationInterceptor extends AbstractInterceptor implements
log.warn("Referer Header Host does not match refererUrl={}, targetUrl={}",refererUrl,targetUrl);
return false;
}
int refererPort = getPort(refererUrl);
if (targetPort != refererPort) {
log.warn("Referer Header Port does not match refererUrl={}, targetUrl={}",refererUrl,targetUrl);
return false;
}
} catch (MalformedURLException ex) {
log.warn("Bad URL in Referer HTTP-Header: {}, Message: {}", referer, ex.getMessage());
return false;

10
redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/AbstractRestServicesTest.java
View File

@ -158,6 +158,7 @@ public abstract class AbstractRestServicesTest
protected UserService getUserService()
{
return getUserService( null );
}
@ -175,7 +176,7 @@ public abstract class AbstractRestServicesTest
{
WebClient.client( service ).header( "Authorization", authzHeader );
}
WebClient.client(service).header("Referer","http://localhost");
WebClient.client(service).header("Referer","http://localhost:"+port);
WebClient.client( service ).accept( MediaType.APPLICATION_JSON_TYPE );
WebClient.client( service ).type( MediaType.APPLICATION_JSON_TYPE );
@ -197,8 +198,7 @@ public abstract class AbstractRestServicesTest
{
WebClient.client( service ).header( "Authorization", authzHeader );
}
WebClient.client( service ).header("Referer","http://localhost/");
WebClient.client(service).header("Referer","http://localhost:"+port);
WebClient.client( service ).accept( MediaType.APPLICATION_JSON_TYPE );
WebClient.client( service ).type( MediaType.APPLICATION_JSON_TYPE );
@ -219,7 +219,7 @@ public abstract class AbstractRestServicesTest
{
WebClient.client( service ).header( "Authorization", authzHeader );
}
WebClient.client( service ).header("Referer","http://localhost/");
WebClient.client(service).header("Referer","http://localhost:"+port);
WebClient.client( service ).accept( MediaType.APPLICATION_JSON_TYPE );
WebClient.client( service ).type( MediaType.APPLICATION_JSON_TYPE );
@ -242,7 +242,7 @@ public abstract class AbstractRestServicesTest
{
WebClient.client( service ).header( "Authorization", authzHeader );
}
WebClient.client( service ).header("Referer","http://localhost/");
WebClient.client(service).header("Referer","http://localhost:"+port);
WebClient.client( service ).accept( MediaType.APPLICATION_JSON_TYPE );
WebClient.client( service ).type( MediaType.APPLICATION_JSON_TYPE );