Author: cziegeler
Date: Fri Jul 15 06:27:41 2011
New Revision: 1146974
URL: http://svn.apache.org/viewvc?rev=1146974&view=rev
Log:
SLING-2141 - Add a way to check the referrer for modification requests
Modified:
sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
sling/trunk/contrib/extensions/security/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
Modified:
sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
URL:
http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java?rev=1146974&r1=1146973&r2=1146974&view=diff
==============================================================================
---
sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
(original)
+++
sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
Fri Jul 15 06:27:41 2011
@@ -44,16 +44,31 @@ public class ReferrerFilter implements F
/** Logger. */
private final Logger logger = LoggerFactory.getLogger(this.getClass());
+ /** Default value for allow empty. */
private static final boolean DEFAULT_ALLOW_EMPTY = true;
+ /** Allow empty property. */
@Property(boolValue=DEFAULT_ALLOW_EMPTY)
private static final String PROP_ALLOW_EMPTY = "allow.empty";
+ /** Default value for allow localhost. */
+ private static final boolean DEFAULT_ALLOW_LOCALHOST = true;
+
+ /** Allow localhost property. */
+ @Property(boolValue=DEFAULT_ALLOW_LOCALHOST)
+ private static final String PROP_ALLOW_LOCALHOST = "allow.localhost";
+
+ /** Allow empty property. */
@Property(unbounded=PropertyUnbounded.ARRAY)
private static final String PROP_HOSTS = "allow.hosts";
+ /** Do we allow empty referrer? */
private boolean allowEmpty;
+ /** Do we allow localhost referrer? */
+ private boolean allowLocalhost;
+
+ /** Allowed hosts */
private String[] allowHosts;
/**
@@ -62,6 +77,7 @@ public class ReferrerFilter implements F
protected void activate(final ComponentContext ctx) {
this.allowEmpty =
OsgiUtil.toBoolean(ctx.getProperties().get(PROP_ALLOW_EMPTY),
DEFAULT_ALLOW_EMPTY);
this.allowHosts =
OsgiUtil.toStringArray(ctx.getProperties().get(PROP_HOSTS));
+ this.allowLocalhost =
OsgiUtil.toBoolean(ctx.getProperties().get(PROP_ALLOW_LOCALHOST),
DEFAULT_ALLOW_LOCALHOST);
if ( this.allowHosts != null ) {
if ( this.allowHosts.length == 0 ) {
this.allowHosts = null;
@@ -109,8 +125,10 @@ public class ReferrerFilter implements F
// we consider this illegal
return null;
}
- final int endPos = referrer.indexOf('/', startPos);
- final String hostPart = (endPos == -1 ? referrer.substring(startPos) :
referrer.substring(startPos, endPos));
+ final int paramStart = referrer.indexOf('?');
+ final String hostAndPath = (paramStart == -1 ? referrer :
referrer.substring(0, paramStart));
+ final int endPos = hostAndPath.indexOf('/', startPos);
+ final String hostPart = (endPos == -1 ?
hostAndPath.substring(startPos) : hostAndPath.substring(startPos, endPos));
final int hostNameStart = hostPart.indexOf('@') + 1;
final int hostNameEnd = hostPart.lastIndexOf(':');
if (hostNameEnd < hostNameStart ) {
@@ -141,7 +159,15 @@ public class ReferrerFilter implements F
return false;
}
final boolean valid;
- if ( this.allowHosts == null ) {
+ boolean isValidLocalHost = false;
+ if ( this.allowLocalhost ) {
+ if ( "localhost".equals(host) || "127.0.0.1".equals(host) ) {
+ isValidLocalHost = true;
+ }
+ }
+ if ( isValidLocalHost ) {
+ valid = true;
+ } else if ( this.allowHosts == null ) {
valid = host.equals(request.getServerName());
} else {
boolean flag = false;
Modified:
sling/trunk/contrib/extensions/security/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
URL:
http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java?rev=1146974&r1=1146973&r2=1146974&view=diff
==============================================================================
---
sling/trunk/contrib/extensions/security/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
(original)
+++
sling/trunk/contrib/extensions/security/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
Fri Jul 15 06:27:41 2011
@@ -46,9 +46,16 @@ public class ReferrerFilterTest {
Assert.assertEquals("somehost",
filter.getHost("http://somehost/somewhere";));
Assert.assertEquals("somehost",
filter.getHost("http://somehost:4242/somewhere";));
Assert.assertEquals("somehost",
filter.getHost("http://admin@somehost/somewhere";));
+ Assert.assertEquals("somehost",
filter.getHost("http://admin@somehost/somewhere?invald=@gagga";));
Assert.assertEquals("somehost",
filter.getHost("http://admin@somehost:1/somewhere";));
Assert.assertEquals("somehost",
filter.getHost("http://admin:admin@somehost/somewhere";));
Assert.assertEquals("somehost",
filter.getHost("http://admin:admin@somehost:4343/somewhere";));
+ Assert.assertEquals("localhost", filter.getHost("http://localhost";));
+ Assert.assertEquals("127.0.0.1", filter.getHost("http://127.0.0.1";));
+ Assert.assertEquals("localhost",
filter.getHost("http://localhost:535";));
+ Assert.assertEquals("127.0.0.1",
filter.getHost("http://127.0.0.1:242";));
+ Assert.assertEquals("localhost",
filter.getHost("http://localhost:256235/etewteq.ff";));
+ Assert.assertEquals("127.0.0.1",
filter.getHost("http://127.0.0.1/wetew.qerq";));
Assert.assertEquals(null,
filter.getHost("http:/admin:admin@somehost:4343/somewhere"));
}
@@ -68,6 +75,8 @@ public class ReferrerFilterTest {
Assert.assertEquals(true,
filter.isValidRequest(getRequest("/relative/but/[illegal]")));
Assert.assertEquals(false,
filter.isValidRequest(getRequest("http://somehost";)));
Assert.assertEquals(true,
filter.isValidRequest(getRequest("http://me";)));
+ Assert.assertEquals(true,
filter.isValidRequest(getRequest("http://localhost";)));
+ Assert.assertEquals(true,
filter.isValidRequest(getRequest("http://127.0.0.1";)));
Assert.assertEquals(false,
filter.isValidRequest(getRequest("http://somehost/but/[illegal]";)));
Assert.assertEquals(true,
filter.isValidRequest(getRequest("http://me/but/[illegal]";)));
}
