Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CorsUtils.isCorsRequest throws unhandled IllegalArgumentException and returns 500 Internal Server Error on malfomed Origin header #33682

Open
sfc-gh-jzana opened this issue Oct 11, 2024 · 0 comments
Open

CorsUtils.isCorsRequest throws unhandled IllegalArgumentException and returns 500 Internal Server Error on malfomed Origin header #33682

sfc-gh-jzana opened this issue Oct 11, 2024 · 0 comments
Assignees
@simonbasle
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: waiting-for-triage An issue we've not yet triaged or decided on

Comments

@sfc-gh-jzana
Copy link

Affects: 6.1.13

if a client sends a malformed origin header in a CORS request to a spring boot application that looks like this:

 curl 'http://localhost/sample \
  -X 'OPTIONS' \
  -H 'Origin: https://*@:;' \

The following exception will be thrown:

j.l.IllegalArgumentException: [https://*@:;] is not a valid HTTP URL
	at o.s.w.u.UriComponentsBuilder.checkSchemeAndHost(UriComponentsBuilder.java:309)
	at o.s.w.u.UriComponentsBuilder.fromOriginHeader(UriComponentsBuilder.java:371)
	at o.s.w.cors.CorsUtils.isCorsRequest(CorsUtils.java:46)
	at o.s.w.c.DefaultCorsProcessor.processRequest(DefaultCorsProcessor.java:86)

This exception is not handled, and bubbles out as a 500 Internal Server Error.

I would expect that the framework would handle the invalid input and reject the request with a 403 Forbidden with message "invalid cors request", like it does for many other kinds of invalid input.

The only workaround I have found is to register a custom corsFilter bean, with a custom CorsProcessor that handles the exception and rejects it.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Oct 11, 2024
@jhoeller jhoeller added the in: web Issues in web modules (web, webmvc, webflux, websocket) label Oct 11, 2024
@simonbasle simonbasle self-assigned this Oct 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simonbasle simonbasle

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: waiting-for-triage An issue we've not yet triaged or decided on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jhoeller @simonbasle @spring-projects-issues @sfc-gh-jzana