unnecessary code deletion and secure origin comparison

apache · Feb 2, 2025 · c93bfa1 · c93bfa1
1 parent c656c38
commit c93bfa1
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 11 deletions.
diff --git a/java/org/apache/tomcat/util/http/RequestUtil.java b/java/org/apache/tomcat/util/http/RequestUtil.java
@@ -123,19 +123,12 @@ public static boolean isSameOrigin(HttpServletRequest request, String origin) {
         // Build scheme://host:port from request
         StringBuilder target = new StringBuilder();
         String scheme = request.getScheme();
-        if (scheme == null) {
-            return false;
-        } else {
-            scheme = scheme.toLowerCase(Locale.ENGLISH);
-        }
-        target.append(scheme);
-        target.append("://");
-
         String host = request.getServerName();
-        if (host == null) {
+        if (scheme == null || host == null) {
             return false;
         }
-        target.append(host);
+        scheme = scheme.toLowerCase(Locale.ENGLISH);
+        target.append(scheme).append("://").append(host);
 
         int port = request.getServerPort();
         // Origin may or may not include the (default) port.
@@ -161,7 +154,7 @@ public static boolean isSameOrigin(HttpServletRequest request, String origin) {
 
         // Both scheme and host are case-insensitive but the CORS spec states
         // this check should be case-sensitive
-        return origin.equals(target.toString());
+        return origin.contentEquals(target);
     }
 
 

diff --git a/test/org/apache/tomcat/util/http/TestRequestUtilSameOrigin.java b/test/org/apache/tomcat/util/http/TestRequestUtilSameOrigin.java
@@ -42,6 +42,8 @@ public static Collection<Object[]> parameters() {
         TesterRequest request2 = new TesterRequest("ws", "example.com", 80);
         TesterRequest request3 = new TesterRequest("http", "example.com", 443);
         TesterRequest request4 = new TesterRequest("http", "example.com", 8080);
+        TesterRequest request5 = new TesterRequest(null, "exmaple.com", 80);
+        TesterRequest request6 = new TesterRequest("http", null, 8080);
 
         parameterSets.add(new Object[] { request1, "http://example.com", Boolean.TRUE });
         parameterSets.add(new Object[] { request1, "http://example.com:80", Boolean.TRUE });
@@ -59,6 +61,14 @@ public static Collection<Object[]> parameters() {
         parameterSets.add(new Object[] { request4, "http://example.com:80", Boolean.FALSE });
         parameterSets.add(new Object[] { request4, "http://example.com:8080", Boolean.TRUE});
 
+        parameterSets.add(new Object[]{ request5, "http://example.com:80", Boolean.FALSE});
+        parameterSets.add(new Object[]{ request5, "://example.com:80", Boolean.FALSE});
+        parameterSets.add(new Object[]{ request5, "example.com:80", Boolean.FALSE});
+
+        parameterSets.add(new Object[]{ request6, "http://example.com:80", Boolean.FALSE});
+        parameterSets.add(new Object[]{ request6, "http://:80", Boolean.FALSE});
+        parameterSets.add(new Object[]{ request6, "http://", Boolean.FALSE});
+
         return parameterSets;
     }