diff options
author | Anton Tananaev <anton.tananaev@gmail.com> | 2015-12-07 09:41:42 +1300 |
---|---|---|
committer | Anton Tananaev <anton.tananaev@gmail.com> | 2015-12-07 09:41:42 +1300 |
commit | a20e996c0929bcca43e5b5595f7ec320fad3c213 (patch) | |
tree | 4c8a6f962d8c3a33468d801f7d955e368ad00115 /src | |
parent | 1c534f33c3c0c4de018b1ae223d539ac9651180d (diff) | |
download | traccar-server-a20e996c0929bcca43e5b5595f7ec320fad3c213.tar.gz traccar-server-a20e996c0929bcca43e5b5595f7ec320fad3c213.tar.bz2 traccar-server-a20e996c0929bcca43e5b5595f7ec320fad3c213.zip |
Restrict CORS origin header value
Diffstat (limited to 'src')
-rw-r--r-- | src/org/traccar/api/CorsResponseFilter.java | 19 | ||||
-rw-r--r-- | src/org/traccar/web/BaseServlet.java | 2 |
2 files changed, 17 insertions, 4 deletions
diff --git a/src/org/traccar/api/CorsResponseFilter.java b/src/org/traccar/api/CorsResponseFilter.java index 8aab5ad68..001f6ab4c 100644 --- a/src/org/traccar/api/CorsResponseFilter.java +++ b/src/org/traccar/api/CorsResponseFilter.java @@ -15,7 +15,12 @@ */ package org.traccar.api; +import org.jboss.netty.handler.codec.http.HttpHeaders; +import org.traccar.Context; + import java.io.IOException; +import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.ContainerResponseContext; import javax.ws.rs.container.ContainerResponseFilter; @@ -36,9 +41,6 @@ public class CorsResponseFilter implements ContainerResponseFilter { @Override public void filter(ContainerRequestContext request, ContainerResponseContext response) throws IOException { - if (!response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN_KEY)) { - response.getHeaders().add(ACCESS_CONTROL_ALLOW_ORIGIN_KEY, ACCESS_CONTROL_ALLOW_ORIGIN_VALUE); - } if (!response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_HEADERS_KEY)) { response.getHeaders().add(ACCESS_CONTROL_ALLOW_HEADERS_KEY, ACCESS_CONTROL_ALLOW_HEADERS_VALUE); } @@ -48,6 +50,17 @@ public class CorsResponseFilter implements ContainerResponseFilter { if (!response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_METHODS_KEY)) { response.getHeaders().add(ACCESS_CONTROL_ALLOW_METHODS_KEY, ACCESS_CONTROL_ALLOW_METHODS_VALUE); } + + if (!response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN_KEY)) { + String origin = request.getHeaderString(HttpHeaders.Names.ORIGIN); + String allowed = Context.getConfig().getString("web.origin"); + if (allowed == null) { + response.getHeaders().add(ACCESS_CONTROL_ALLOW_ORIGIN_KEY, ACCESS_CONTROL_ALLOW_ORIGIN_VALUE); + } else if (allowed.contains(origin)) { + String originSafe = URLEncoder.encode(origin, StandardCharsets.UTF_8.name()); + response.getHeaders().add(ACCESS_CONTROL_ALLOW_ORIGIN_KEY, originSafe); + } + } } } diff --git a/src/org/traccar/web/BaseServlet.java b/src/org/traccar/web/BaseServlet.java index 69a073d39..8b022d556 100644 --- a/src/org/traccar/web/BaseServlet.java +++ b/src/org/traccar/web/BaseServlet.java @@ -56,7 +56,7 @@ public abstract class BaseServlet extends HttpServlet { if (allowed == null) { resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_ORIGIN, ALLOW_ORIGIN_VALUE); } else if (allowed.contains(origin)) { - String originSafe = URLEncoder.encode(origin, StandardCharsets.UTF_8.displayName()); + String originSafe = URLEncoder.encode(origin, StandardCharsets.UTF_8.name()); resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_ORIGIN, originSafe); } |