andreacavalli/netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixes NPE in Corshandler for unauthorized prefligt requests (#7865)

Browse Source 
Motivation:
NPE in `CorsHandler` if a pre-flight request is done using an Origin header which is not allowed by any `CorsConfig` passed to the handler on creation.

Modifications:
During the pre-flight, check the `CorsConfig` for `null` and handle it correctly by not returning any access-control header

Result:
No more NPE for pre-flight requests with unauthorized origins.
This commit is contained in:
Gustavo Fernandes 2018-04-13 13:36:45 +01:00 committed by Norman Maurer
parent da2e91b33a
commit f874a37ecb
2 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
codec-http/src/main/java/io/netty/handler/codec/http/cors/CorsHandler.java
View File

@ -38,6 +38,7 @@ import static io.netty.handler.codec.http.HttpResponseStatus.FORBIDDEN;
import static io.netty.handler.codec.http.HttpResponseStatus.OK;
import static io.netty.util.ReferenceCountUtil.release;
import static io.netty.util.internal.ObjectUtil.checkNonEmpty;
import static io.netty.util.internal.ObjectUtil.checkNotNull;
/**
* Handles <a href="http://www.w3.org/TR/cors/">Cross Origin Resource Sharing</a> (CORS) requests.
@ -60,7 +61,7 @@ public class CorsHandler extends ChannelDuplexHandler {
* Creates a new instance with a single {@link CorsConfig}.
*/
public CorsHandler(final CorsConfig config) {
this(Collections.singletonList(config), config.isShortCircuit());
this(Collections.singletonList(checkNotNull(config, "config")), config.isShortCircuit());
}
/**
@ -137,7 +138,7 @@ public class CorsHandler extends ChannelDuplexHandler {
private boolean setOrigin(final HttpResponse response) {
final String origin = request.headers().get(HttpHeaderNames.ORIGIN);
if (origin != null) {
if (origin != null && config != null) {
if (NULL_ORIGIN.equals(origin) && config.isNullOriginAllowed()) {
setNullOrigin(response);
return true;

8
codec-http/src/test/java/io/netty/handler/codec/http/cors/CorsHandlerTest.java
View File

@ -149,6 +149,14 @@ public class CorsHandlerTest {
assertThat(response.headers().get(CONTENT_LENGTH), is("0"));
}
@Test
public void preflightRequestWithUnauthorizedOrigin() {
final String origin = "http://host";
final CorsConfig config = forOrigin("http://localhost").build();
final HttpResponse response = preflightRequest(config, origin, "xheader1");
assertThat(response.headers().contains(ACCESS_CONTROL_ALLOW_ORIGIN), is(false));
}
@Test
public void preflightRequestWithCustomHeaders() {
final String headerName = "CustomHeader";