Merge pull request #244 from panchenko/SEC-3164

SEC-3164 Optimization in DefaultRequiresCsrfMatcher
2025-06-24 21:12:18 +00:00 · 2015-12-02 14:10:04 -06:00 · 2015-12-02 14:10:04 -06:00 · 3cc085bcdd
commit 3cc085bcdd
parent ed01213a27 cfa23b152e
1 changed files with 5 additions and 4 deletions
--- a/web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
+++ b/web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
@ -16,7 +16,8 @@
 package org.springframework.security.web.csrf;

 import java.io.IOException;
-import java.util.regex.Pattern;
+import java.util.Arrays;
+import java.util.HashSet;

 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
@ -62,7 +63,7 @@ public final class CsrfFilter extends OncePerRequestFilter {

 	private final Log logger = LogFactory.getLog(getClass());
 	private final CsrfTokenRepository tokenRepository;
-	private RequestMatcher requireCsrfProtectionMatcher = new DefaultRequiresCsrfMatcher();
+	private RequestMatcher requireCsrfProtectionMatcher = DEFAULT_CSRF_MATCHER;
 	private AccessDeniedHandler accessDeniedHandler = new AccessDeniedHandlerImpl();

 	public CsrfFilter(CsrfTokenRepository csrfTokenRepository) {
@ -235,7 +236,7 @@ public final class CsrfFilter extends OncePerRequestFilter {
 	}

 	private static final class DefaultRequiresCsrfMatcher implements RequestMatcher {
-		private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
+		private final HashSet<String> allowedMethods = new HashSet<>(Arrays.asList("GET", "HEAD", "TRACE", "OPTIONS"));

 		/*
 		 * (non-Javadoc)
@ -245,7 +246,7 @@ public final class CsrfFilter extends OncePerRequestFilter {
 		 * servlet.http.HttpServletRequest)
 		 */
 		public boolean matches(HttpServletRequest request) {
-			return !allowedMethods.matcher(request.getMethod()).matches();
+			return !allowedMethods.contains(request.getMethod());
 		}
 	}
 }