incubator-sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cziege...@apache.org
Subject svn commit: r1146974 - in /sling/trunk/contrib/extensions/security/src: main/java/org/apache/sling/security/impl/ReferrerFilter.java test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
Date Fri, 15 Jul 2011 06:27:42 GMT
Author: cziegeler
Date: Fri Jul 15 06:27:41 2011
New Revision: 1146974

URL: http://svn.apache.org/viewvc?rev=1146974&view=rev
Log:
SLING-2141 - Add a way to check the referrer for modification requests

Modified:
    sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
    sling/trunk/contrib/extensions/security/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java

Modified: sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java?rev=1146974&r1=1146973&r2=1146974&view=diff
==============================================================================
--- sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
(original)
+++ sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
Fri Jul 15 06:27:41 2011
@@ -44,16 +44,31 @@ public class ReferrerFilter implements F
     /** Logger. */
     private final Logger logger = LoggerFactory.getLogger(this.getClass());
 
+    /** Default value for allow empty. */
     private static final boolean DEFAULT_ALLOW_EMPTY = true;
 
+    /** Allow empty property. */
     @Property(boolValue=DEFAULT_ALLOW_EMPTY)
     private static final String PROP_ALLOW_EMPTY = "allow.empty";
 
+    /** Default value for allow localhost. */
+    private static final boolean DEFAULT_ALLOW_LOCALHOST = true;
+
+    /** Allow localhost property. */
+    @Property(boolValue=DEFAULT_ALLOW_LOCALHOST)
+    private static final String PROP_ALLOW_LOCALHOST = "allow.localhost";
+
+    /** Allow empty property. */
     @Property(unbounded=PropertyUnbounded.ARRAY)
     private static final String PROP_HOSTS = "allow.hosts";
 
+    /** Do we allow empty referrer? */
     private boolean allowEmpty;
 
+    /** Do we allow localhost referrer? */
+    private boolean allowLocalhost;
+
+    /** Allowed hosts */
     private String[] allowHosts;
 
     /**
@@ -62,6 +77,7 @@ public class ReferrerFilter implements F
     protected void activate(final ComponentContext ctx) {
         this.allowEmpty = OsgiUtil.toBoolean(ctx.getProperties().get(PROP_ALLOW_EMPTY), DEFAULT_ALLOW_EMPTY);
         this.allowHosts = OsgiUtil.toStringArray(ctx.getProperties().get(PROP_HOSTS));
+        this.allowLocalhost = OsgiUtil.toBoolean(ctx.getProperties().get(PROP_ALLOW_LOCALHOST),
DEFAULT_ALLOW_LOCALHOST);
         if ( this.allowHosts != null ) {
             if ( this.allowHosts.length == 0 ) {
                 this.allowHosts = null;
@@ -109,8 +125,10 @@ public class ReferrerFilter implements F
             // we consider this illegal
             return null;
         }
-        final int endPos = referrer.indexOf('/', startPos);
-        final String hostPart = (endPos == -1 ? referrer.substring(startPos) : referrer.substring(startPos,
endPos));
+        final int paramStart = referrer.indexOf('?');
+        final String hostAndPath = (paramStart == -1 ? referrer : referrer.substring(0, paramStart));
+        final int endPos = hostAndPath.indexOf('/', startPos);
+        final String hostPart = (endPos == -1 ? hostAndPath.substring(startPos) : hostAndPath.substring(startPos,
endPos));
         final int hostNameStart = hostPart.indexOf('@') + 1;
         final int hostNameEnd = hostPart.lastIndexOf(':');
         if (hostNameEnd < hostNameStart ) {
@@ -141,7 +159,15 @@ public class ReferrerFilter implements F
             return false;
         }
         final boolean valid;
-        if ( this.allowHosts == null ) {
+        boolean isValidLocalHost = false;
+        if ( this.allowLocalhost ) {
+            if ( "localhost".equals(host) || "127.0.0.1".equals(host) ) {
+                isValidLocalHost = true;
+            }
+        }
+        if ( isValidLocalHost ) {
+            valid = true;
+        } else if ( this.allowHosts == null ) {
             valid = host.equals(request.getServerName());
         } else {
             boolean flag = false;

Modified: sling/trunk/contrib/extensions/security/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java?rev=1146974&r1=1146973&r2=1146974&view=diff
==============================================================================
--- sling/trunk/contrib/extensions/security/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
(original)
+++ sling/trunk/contrib/extensions/security/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
Fri Jul 15 06:27:41 2011
@@ -46,9 +46,16 @@ public class ReferrerFilterTest {
         Assert.assertEquals("somehost", filter.getHost("http://somehost/somewhere"));
         Assert.assertEquals("somehost", filter.getHost("http://somehost:4242/somewhere"));
         Assert.assertEquals("somehost", filter.getHost("http://admin@somehost/somewhere"));
+        Assert.assertEquals("somehost", filter.getHost("http://admin@somehost/somewhere?invald=@gagga"));
         Assert.assertEquals("somehost", filter.getHost("http://admin@somehost:1/somewhere"));
         Assert.assertEquals("somehost", filter.getHost("http://admin:admin@somehost/somewhere"));
         Assert.assertEquals("somehost", filter.getHost("http://admin:admin@somehost:4343/somewhere"));
+        Assert.assertEquals("localhost", filter.getHost("http://localhost"));
+        Assert.assertEquals("127.0.0.1", filter.getHost("http://127.0.0.1"));
+        Assert.assertEquals("localhost", filter.getHost("http://localhost:535"));
+        Assert.assertEquals("127.0.0.1", filter.getHost("http://127.0.0.1:242"));
+        Assert.assertEquals("localhost", filter.getHost("http://localhost:256235/etewteq.ff"));
+        Assert.assertEquals("127.0.0.1", filter.getHost("http://127.0.0.1/wetew.qerq"));
         Assert.assertEquals(null, filter.getHost("http:/admin:admin@somehost:4343/somewhere"));
     }
 
@@ -68,6 +75,8 @@ public class ReferrerFilterTest {
         Assert.assertEquals(true, filter.isValidRequest(getRequest("/relative/but/[illegal]")));
         Assert.assertEquals(false, filter.isValidRequest(getRequest("http://somehost")));
         Assert.assertEquals(true, filter.isValidRequest(getRequest("http://me")));
+        Assert.assertEquals(true, filter.isValidRequest(getRequest("http://localhost")));
+        Assert.assertEquals(true, filter.isValidRequest(getRequest("http://127.0.0.1")));
         Assert.assertEquals(false, filter.isValidRequest(getRequest("http://somehost/but/[illegal]")));
         Assert.assertEquals(true, filter.isValidRequest(getRequest("http://me/but/[illegal]")));
     }



Mime
View raw message