Adding port check for Referer header
Project: http://git-wip-us.apache.org/repos/asf/archiva-redback-core/repo Commit: http://git-wip-us.apache.org/repos/asf/archiva-redback-core/commit/e9bc4818 Tree: http://git-wip-us.apache.org/repos/asf/archiva-redback-core/tree/e9bc4818 Diff: http://git-wip-us.apache.org/repos/asf/archiva-redback-core/diff/e9bc4818 Branch: refs/heads/feature/header_check Commit: e9bc4818844bf684e4fd16e3a5adc99fe9eb9f96 Parents: 95f1b3e Author: Martin Stockhammer <marti...@apache.org> Authored: Mon Jan 30 22:42:33 2017 +0100 Committer: Martin Stockhammer <marti...@apache.org> Committed: Mon Jan 30 22:42:33 2017 +0100 ---------------------------------------------------------------------- .../interceptors/RequestValidationInterceptor.java | 7 ++++++- .../redback/rest/services/AbstractRestServicesTest.java | 10 +++++----- 2 files changed, 11 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/archiva-redback-core/blob/e9bc4818/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java ---------------------------------------------------------------------- diff --git a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java index 4300baf..182d23a 100644 --- a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java +++ b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java @@ -161,6 +161,7 @@ public class RequestValidationInterceptor extends AbstractInterceptor implements private boolean checkSourceRequestHeader(final URL targetUrl, final HttpServletRequest request) { boolean headerFound=false; String origin = request.getHeader(ORIGIN); + int targetPort = getPort(targetUrl); if (origin!=null) { try { URL originUrl = new URL(origin); @@ -175,7 +176,6 @@ public class RequestValidationInterceptor extends AbstractInterceptor implements return false; } int originPort = getPort(originUrl); - int targetPort = getPort(targetUrl); if (targetPort != originPort) { log.warn("Origin Header Port does not match originUrl={}, targetUrl={}",originUrl,targetUrl); return false; @@ -195,6 +195,11 @@ public class RequestValidationInterceptor extends AbstractInterceptor implements log.warn("Referer Header Host does not match refererUrl={}, targetUrl={}",refererUrl,targetUrl); return false; } + int refererPort = getPort(refererUrl); + if (targetPort != refererPort) { + log.warn("Referer Header Port does not match refererUrl={}, targetUrl={}",refererUrl,targetUrl); + return false; + } } catch (MalformedURLException ex) { log.warn("Bad URL in Referer HTTP-Header: {}, Message: {}", referer, ex.getMessage()); return false; http://git-wip-us.apache.org/repos/asf/archiva-redback-core/blob/e9bc4818/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/AbstractRestServicesTest.java ---------------------------------------------------------------------- diff --git a/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/AbstractRestServicesTest.java b/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/AbstractRestServicesTest.java index 0cab072..4b565a2 100644 --- a/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/AbstractRestServicesTest.java +++ b/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/AbstractRestServicesTest.java @@ -158,6 +158,7 @@ public abstract class AbstractRestServicesTest protected UserService getUserService() { + return getUserService( null ); } @@ -175,7 +176,7 @@ public abstract class AbstractRestServicesTest { WebClient.client( service ).header( "Authorization", authzHeader ); } - WebClient.client(service).header("Referer","http://localhost"); + WebClient.client(service).header("Referer","http://localhost:"+port); WebClient.client( service ).accept( MediaType.APPLICATION_JSON_TYPE ); WebClient.client( service ).type( MediaType.APPLICATION_JSON_TYPE ); @@ -197,8 +198,7 @@ public abstract class AbstractRestServicesTest { WebClient.client( service ).header( "Authorization", authzHeader ); } - WebClient.client( service ).header("Referer","http://localhost/"); - + WebClient.client(service).header("Referer","http://localhost:"+port); WebClient.client( service ).accept( MediaType.APPLICATION_JSON_TYPE ); WebClient.client( service ).type( MediaType.APPLICATION_JSON_TYPE ); @@ -219,7 +219,7 @@ public abstract class AbstractRestServicesTest { WebClient.client( service ).header( "Authorization", authzHeader ); } - WebClient.client( service ).header("Referer","http://localhost/"); + WebClient.client(service).header("Referer","http://localhost:"+port); WebClient.client( service ).accept( MediaType.APPLICATION_JSON_TYPE ); WebClient.client( service ).type( MediaType.APPLICATION_JSON_TYPE ); @@ -242,7 +242,7 @@ public abstract class AbstractRestServicesTest { WebClient.client( service ).header( "Authorization", authzHeader ); } - WebClient.client( service ).header("Referer","http://localhost/"); + WebClient.client(service).header("Referer","http://localhost:"+port); WebClient.client( service ).accept( MediaType.APPLICATION_JSON_TYPE ); WebClient.client( service ).type( MediaType.APPLICATION_JSON_TYPE );