This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to annotated tag org.apache.sling.security-1.0.0 in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 825670533e48e3bb6283803248ffb8cae6a64cf4 Author: Carsten Ziegeler <[email protected]> AuthorDate: Fri Jul 15 06:27:41 2011 +0000 SLING-2141 - Add a way to check the referrer for modification requests git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1146974 13f79535-47bb-0310-9956-ffa450edef68 --- .../apache/sling/security/impl/ReferrerFilter.java | 32 ++++++++++++++++++++-- .../sling/security/impl/ReferrerFilterTest.java | 9 ++++++ 2 files changed, 38 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java index ed3dec5..b27ec45 100644 --- a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java +++ b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java @@ -44,16 +44,31 @@ public class ReferrerFilter implements Filter { /** Logger. */ private final Logger logger = LoggerFactory.getLogger(this.getClass()); + /** Default value for allow empty. */ private static final boolean DEFAULT_ALLOW_EMPTY = true; + /** Allow empty property. */ @Property(boolValue=DEFAULT_ALLOW_EMPTY) private static final String PROP_ALLOW_EMPTY = "allow.empty"; + /** Default value for allow localhost. */ + private static final boolean DEFAULT_ALLOW_LOCALHOST = true; + + /** Allow localhost property. */ + @Property(boolValue=DEFAULT_ALLOW_LOCALHOST) + private static final String PROP_ALLOW_LOCALHOST = "allow.localhost"; + + /** Allow empty property. */ @Property(unbounded=PropertyUnbounded.ARRAY) private static final String PROP_HOSTS = "allow.hosts"; + /** Do we allow empty referrer? */ private boolean allowEmpty; + /** Do we allow localhost referrer? */ + private boolean allowLocalhost; + + /** Allowed hosts */ private String[] allowHosts; /** @@ -62,6 +77,7 @@ public class ReferrerFilter implements Filter { protected void activate(final ComponentContext ctx) { this.allowEmpty = OsgiUtil.toBoolean(ctx.getProperties().get(PROP_ALLOW_EMPTY), DEFAULT_ALLOW_EMPTY); this.allowHosts = OsgiUtil.toStringArray(ctx.getProperties().get(PROP_HOSTS)); + this.allowLocalhost = OsgiUtil.toBoolean(ctx.getProperties().get(PROP_ALLOW_LOCALHOST), DEFAULT_ALLOW_LOCALHOST); if ( this.allowHosts != null ) { if ( this.allowHosts.length == 0 ) { this.allowHosts = null; @@ -109,8 +125,10 @@ public class ReferrerFilter implements Filter { // we consider this illegal return null; } - final int endPos = referrer.indexOf('/', startPos); - final String hostPart = (endPos == -1 ? referrer.substring(startPos) : referrer.substring(startPos, endPos)); + final int paramStart = referrer.indexOf('?'); + final String hostAndPath = (paramStart == -1 ? referrer : referrer.substring(0, paramStart)); + final int endPos = hostAndPath.indexOf('/', startPos); + final String hostPart = (endPos == -1 ? hostAndPath.substring(startPos) : hostAndPath.substring(startPos, endPos)); final int hostNameStart = hostPart.indexOf('@') + 1; final int hostNameEnd = hostPart.lastIndexOf(':'); if (hostNameEnd < hostNameStart ) { @@ -141,7 +159,15 @@ public class ReferrerFilter implements Filter { return false; } final boolean valid; - if ( this.allowHosts == null ) { + boolean isValidLocalHost = false; + if ( this.allowLocalhost ) { + if ( "localhost".equals(host) || "127.0.0.1".equals(host) ) { + isValidLocalHost = true; + } + } + if ( isValidLocalHost ) { + valid = true; + } else if ( this.allowHosts == null ) { valid = host.equals(request.getServerName()); } else { boolean flag = false; diff --git a/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java b/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java index f6264c1..cd41e10 100644 --- a/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java +++ b/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java @@ -46,9 +46,16 @@ public class ReferrerFilterTest { Assert.assertEquals("somehost", filter.getHost("http://somehost/somewhere";)); Assert.assertEquals("somehost", filter.getHost("http://somehost:4242/somewhere";)); Assert.assertEquals("somehost", filter.getHost("http://admin@somehost/somewhere";)); + Assert.assertEquals("somehost", filter.getHost("http://admin@somehost/somewhere?invald=@gagga";)); Assert.assertEquals("somehost", filter.getHost("http://admin@somehost:1/somewhere";)); Assert.assertEquals("somehost", filter.getHost("http://admin:admin@somehost/somewhere";)); Assert.assertEquals("somehost", filter.getHost("http://admin:admin@somehost:4343/somewhere";)); + Assert.assertEquals("localhost", filter.getHost("http://localhost";)); + Assert.assertEquals("127.0.0.1", filter.getHost("http://127.0.0.1";)); + Assert.assertEquals("localhost", filter.getHost("http://localhost:535";)); + Assert.assertEquals("127.0.0.1", filter.getHost("http://127.0.0.1:242";)); + Assert.assertEquals("localhost", filter.getHost("http://localhost:256235/etewteq.ff";)); + Assert.assertEquals("127.0.0.1", filter.getHost("http://127.0.0.1/wetew.qerq";)); Assert.assertEquals(null, filter.getHost("http:/admin:admin@somehost:4343/somewhere")); } @@ -68,6 +75,8 @@ public class ReferrerFilterTest { Assert.assertEquals(true, filter.isValidRequest(getRequest("/relative/but/[illegal]"))); Assert.assertEquals(false, filter.isValidRequest(getRequest("http://somehost";))); Assert.assertEquals(true, filter.isValidRequest(getRequest("http://me";))); + Assert.assertEquals(true, filter.isValidRequest(getRequest("http://localhost";))); + Assert.assertEquals(true, filter.isValidRequest(getRequest("http://127.0.0.1";))); Assert.assertEquals(false, filter.isValidRequest(getRequest("http://somehost/but/[illegal]";))); Assert.assertEquals(true, filter.isValidRequest(getRequest("http://me/but/[illegal]";))); } -- To stop receiving notification emails like this one, please contact "[email protected]" <[email protected]>.
