Return-Path: X-Original-To: apmail-sling-commits-archive@www.apache.org Delivered-To: apmail-sling-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DC1F87C41 for ; Wed, 31 Aug 2011 15:12:24 +0000 (UTC) Received: (qmail 61961 invoked by uid 500); 31 Aug 2011 15:12:24 -0000 Delivered-To: apmail-sling-commits-archive@sling.apache.org Received: (qmail 61899 invoked by uid 500); 31 Aug 2011 15:12:23 -0000 Mailing-List: contact commits-help@sling.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@sling.apache.org Delivered-To: mailing list commits@sling.apache.org Received: (qmail 61892 invoked by uid 99); 31 Aug 2011 15:12:23 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 31 Aug 2011 15:12:23 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 31 Aug 2011 15:12:21 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 466D02388900; Wed, 31 Aug 2011 15:12:01 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1163660 - in /sling/trunk/contrib/extensions/security: pom.xml src/main/java/org/apache/sling/security/impl/ReferrerFilter.java Date: Wed, 31 Aug 2011 15:12:01 -0000 To: commits@sling.apache.org From: justin@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20110831151201.466D02388900@eris.apache.org> Author: justin Date: Wed Aug 31 15:12:00 2011 New Revision: 1163660 URL: http://svn.apache.org/viewvc?rev=1163660&view=rev Log: SLING-2198 - allowing request if the referrer host name matches the request host name (also, internalizing the PropertiesUtil class for compatibility purposes) Modified: sling/trunk/contrib/extensions/security/pom.xml sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java Modified: sling/trunk/contrib/extensions/security/pom.xml URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security/pom.xml?rev=1163660&r1=1163659&r2=1163660&view=diff ============================================================================== --- sling/trunk/contrib/extensions/security/pom.xml (original) +++ sling/trunk/contrib/extensions/security/pom.xml Wed Aug 31 15:12:00 2011 @@ -58,6 +58,9 @@ sling + + org.apache.sling.commons.osgi;inline=org/apache/sling/commons/osgi/PropertiesUtil.* + org.apache.sling.security.impl Modified: sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java?rev=1163660&r1=1163659&r2=1163660&view=diff ============================================================================== --- sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java (original) +++ sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java Wed Aug 31 15:12:00 2011 @@ -282,6 +282,12 @@ public class ReferrerFilter implements F return false; } + // allow the request if the host name of the referrer is + // the same as the request's host name + if ( info.host.equals(request.getServerName()) ) { + return true; + } + boolean valid = false; for(final URL ref : this.allowedReferrers) { if ( info.host.equals(ref.getHost()) && info.scheme.equals(ref.getProtocol()) ) {