This is an automated email from the ASF dual-hosted git repository.
dsoumis pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 600aa488c9 Refactor CORS validation order with explicit guard clauses
600aa488c9 is described below
commit 600aa488c9ed4e17e9716d74a3c4e50cce4467f4
Author: Dimitris Soumis <jimsou...@gmail.com>
AuthorDate: Fri Feb 14 12:24:28 2025 +0200
Refactor CORS validation order with explicit guard clauses
- Check for null originHeader first to prevent NPEs.
- Validate empty or invalid originHeader before performing same-origin
checks.
---
java/org/apache/catalina/filters/CorsFilter.java | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/catalina/filters/CorsFilter.java
b/java/org/apache/catalina/filters/CorsFilter.java
index 8520a53a93..b8ab4e065c 100644
--- a/java/org/apache/catalina/filters/CorsFilter.java
+++ b/java/org/apache/catalina/filters/CorsFilter.java
@@ -542,12 +542,15 @@ public class CorsFilter extends GenericFilter {
throw new
IllegalArgumentException(sm.getString("corsFilter.nullRequest"));
}
String originHeader = request.getHeader(REQUEST_HEADER_ORIGIN);
- if (originHeader == null || RequestUtil.isSameOrigin(request,
originHeader)) {
+ if (originHeader == null) {
return CORSRequestType.NOT_CORS;
}
- if (originHeader.isEmpty() ||!RequestUtil.isValidOrigin(originHeader))
{
+ if (originHeader.isEmpty() ||
!RequestUtil.isValidOrigin(originHeader)) {
return CORSRequestType.INVALID_CORS;
}
+ if(RequestUtil.isSameOrigin(request, originHeader)) {
+ return CORSRequestType.NOT_CORS;
+ }
String method = request.getMethod();
if (method == null) {
return CORSRequestType.INVALID_CORS;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
