[OpenbravoERP-commits] devel/pi: Fixes issue 39316: Unneeded error shown in log if orig...

hg Wed, 26 Sep 2018 02:53:20 -0700

details:   https://code.openbravo.com/erp/devel/pi/rev/5673d02fb2af
changeset: 34807:5673d02fb2af
user:      Augusto Mauch <augusto.mauch <at> openbravo.com>
date:      Wed Sep 26 11:51:13 2018 +0200
summary:   Fixes issue 39316: Unneeded error shown in log if origin is empty


The problem was that sometimes the Origin request param is set to "null" 
(string with "null" as
content). In that case, the null checks were not met, and an actual check 
against the allowed
origins was done. This check failed and the error was shown in the log.

If the origin is empty, null or "null" the check does not need to be done.

diffstat:

 src/org/openbravo/base/secureApp/AllowedCrossDomainsHandler.java |  54 
+++++----
 1 files changed, 28 insertions(+), 26 deletions(-)

diffs (105 lines):

diff -r fabe6e99f181 -r 5673d02fb2af 
src/org/openbravo/base/secureApp/AllowedCrossDomainsHandler.java
--- a/src/org/openbravo/base/secureApp/AllowedCrossDomainsHandler.java  Tue Sep 
25 18:57:02 2018 +0000
+++ b/src/org/openbravo/base/secureApp/AllowedCrossDomainsHandler.java  Wed Sep 
26 11:51:13 2018 +0200
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2016 Openbravo SLU 
+ * All portions are Copyright (C) 2016-2018 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -63,7 +63,7 @@
   private boolean fromAllowedOrigin(HttpServletRequest request) {
     final String origin = request.getHeader("Origin");
 
-    if (origin == null) {
+    if (isNullOrEmpty(origin)) {
       return false;
     }
 
@@ -76,15 +76,16 @@
   }
 
   /**
-   * Checks if an origin is set on the header, if not then false is returned. 
If there are no checkers installed then also false
-   * is returned. If there are checkers installed then the origin is checked 
and the result is returned.
+   * Checks if an origin is set on the header, if not then false is returned. 
If there are no
+   * checkers installed then also false is returned. If there are checkers 
installed then the origin
+   * is checked and the result is returned.
    * 
    * Note: will return true if there is indeed an invalid confirmed origin.
    */
   public boolean isCheckedInvalidOrigin(HttpServletRequest request) {
     final String origin = request.getHeader("Origin");
 
-    if (origin == null) {
+    if (isNullOrEmpty(origin)) {
       return false;
     }
 
@@ -124,34 +125,31 @@
    */
   public void setCORSHeaders(HttpServletRequest request, HttpServletResponse 
response) {
 
-    // don't do anything if no checkers anyway
-    if (getCheckers().isEmpty()) {
+    final String origin = request.getHeader("Origin");
+
+    // don't do anything if no checkers or no origin
+    if (getCheckers().isEmpty() || isNullOrEmpty(origin)) {
       return;
     }
 
     try {
-      final String origin = request.getHeader("Origin");
+      if (request.getRequestURL().indexOf(origin) == 0) {
+        // if the request url starts with the origin then no need to set
+        // headers either
+        return;
+      }
 
-      if (origin != null && !origin.equals("")) {
+      if (!fromAllowedOrigin(request)) {
+        return;
+      }
 
-        if (request.getRequestURL().indexOf(origin) == 0) {
-          // if the request url starts with the origin then no need to set
-          // headers either
-          return;
-        }
+      response.setHeader("Access-Control-Allow-Origin", origin);
+      response.setHeader("Access-Control-Allow-Credentials", "true");
+      response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS");
+      response.setHeader("Access-Control-Allow-Headers",
+          "Content-Type, Origin, Accept, X-Requested-With, 
Access-Control-Allow-Credentials");
 
-        if (!fromAllowedOrigin(request)) {
-          return;
-        }
-
-        response.setHeader("Access-Control-Allow-Origin", origin);
-        response.setHeader("Access-Control-Allow-Credentials", "true");
-        response.setHeader("Access-Control-Allow-Methods", "POST, GET, 
OPTIONS");
-        response.setHeader("Access-Control-Allow-Headers",
-            "Content-Type, Origin, Accept, X-Requested-With, 
Access-Control-Allow-Credentials");
-
-        response.setHeader("Access-Control-Max-Age", "10000");
-      }
+      response.setHeader("Access-Control-Max-Age", "10000");
     } catch (Exception logIt) {
       // on purpose not stopping on this to retain some robustness
       log.error(
@@ -160,6 +158,10 @@
     }
   }
 
+  private boolean isNullOrEmpty(final String origin) {
+    return origin == null || origin.equals("") || origin.equals("null");
+  }
+
   /**
    * Implementation provided by modules which determine if a request is coming 
from an allowed
    * origin.


_______________________________________________
Openbravo-commits mailing list
Openbravo-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openbravo-commits

[OpenbravoERP-commits] devel/pi: Fixes issue 39316: Unneeded error shown in log if orig...

Reply via email to