From a20e996c0929bcca43e5b5595f7ec320fad3c213 Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Mon, 7 Dec 2015 09:41:42 +1300 Subject: Restrict CORS origin header value --- src/org/traccar/api/CorsResponseFilter.java | 19 ++++++++++++++++--- src/org/traccar/web/BaseServlet.java | 2 +- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/src/org/traccar/api/CorsResponseFilter.java b/src/org/traccar/api/CorsResponseFilter.java index 8aab5ad68..001f6ab4c 100644 --- a/src/org/traccar/api/CorsResponseFilter.java +++ b/src/org/traccar/api/CorsResponseFilter.java @@ -15,7 +15,12 @@ */ package org.traccar.api; +import org.jboss.netty.handler.codec.http.HttpHeaders; +import org.traccar.Context; + import java.io.IOException; +import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.ContainerResponseContext; import javax.ws.rs.container.ContainerResponseFilter; @@ -36,9 +41,6 @@ public class CorsResponseFilter implements ContainerResponseFilter { @Override public void filter(ContainerRequestContext request, ContainerResponseContext response) throws IOException { - if (!response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN_KEY)) { - response.getHeaders().add(ACCESS_CONTROL_ALLOW_ORIGIN_KEY, ACCESS_CONTROL_ALLOW_ORIGIN_VALUE); - } if (!response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_HEADERS_KEY)) { response.getHeaders().add(ACCESS_CONTROL_ALLOW_HEADERS_KEY, ACCESS_CONTROL_ALLOW_HEADERS_VALUE); } @@ -48,6 +50,17 @@ public class CorsResponseFilter implements ContainerResponseFilter { if (!response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_METHODS_KEY)) { response.getHeaders().add(ACCESS_CONTROL_ALLOW_METHODS_KEY, ACCESS_CONTROL_ALLOW_METHODS_VALUE); } + + if (!response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN_KEY)) { + String origin = request.getHeaderString(HttpHeaders.Names.ORIGIN); + String allowed = Context.getConfig().getString("web.origin"); + if (allowed == null) { + response.getHeaders().add(ACCESS_CONTROL_ALLOW_ORIGIN_KEY, ACCESS_CONTROL_ALLOW_ORIGIN_VALUE); + } else if (allowed.contains(origin)) { + String originSafe = URLEncoder.encode(origin, StandardCharsets.UTF_8.name()); + response.getHeaders().add(ACCESS_CONTROL_ALLOW_ORIGIN_KEY, originSafe); + } + } } } diff --git a/src/org/traccar/web/BaseServlet.java b/src/org/traccar/web/BaseServlet.java index 69a073d39..8b022d556 100644 --- a/src/org/traccar/web/BaseServlet.java +++ b/src/org/traccar/web/BaseServlet.java @@ -56,7 +56,7 @@ public abstract class BaseServlet extends HttpServlet { if (allowed == null) { resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_ORIGIN, ALLOW_ORIGIN_VALUE); } else if (allowed.contains(origin)) { - String originSafe = URLEncoder.encode(origin, StandardCharsets.UTF_8.displayName()); + String originSafe = URLEncoder.encode(origin, StandardCharsets.UTF_8.name()); resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_ORIGIN, originSafe); } -- cgit v1.2.3