-
Notifications
You must be signed in to change notification settings - Fork 38.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CorsUtils.isCorsRequest throws unhandled IllegalArgumentException and returns 500 Internal Server Error on malfomed Origin header #33682
Comments
Note: I stumbled on #33639 in the 6.2.0 RC2 milestone which likely changes the exact call stack and exception details. but I still don't see any exception handling in CorsUtils, so I suspect the error will still occur. |
@sfc-gh-jzana, thanks for the additional detail on how you came across this. To be sure, you're not saying that there is a regression as a result of #33639, correct? In other words, you are just pointing out that there isn't any handling for this, and there has never been. I expect the origin header is typically well formed, and that's why this hasn't been noticed or reported as an issue. |
@rstoyanchev - correct. This is a preexisting issue from before that change (I am using 6.1.13). Agreed that this is not seen in normal use as the browser controls the ORIGIN header. We found this error through penetration testing of our API surface. |
Hi, I created a pull request that addresses this issue. |
Closed in 8da31e1 |
Thank you! |
@simonbasle Thanks for the quick fix! |
Affects: 6.1.13
if a client sends a malformed origin header in a CORS request to a spring boot application that looks like this:
The following exception will be thrown:
This exception is not handled, and bubbles out as a 500 Internal Server Error.
I would expect that the framework would handle the invalid input and reject the request with a 403 Forbidden with message "invalid cors request", like it does for many other kinds of invalid input.
The only workaround I have found is to register a custom
corsFilter
bean, with a customCorsProcessor
that handles the exception and rejects it.Here's a unit test that fails due to this issue:
The text was updated successfully, but these errors were encountered: