(ofbiz-framework) branch release18.12 updated: Improved: makes HOSTHEADERSALLOWED static in RequestHandler

Tue, 25 Feb 2025 01:44:00 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 1a05ed0919 Improved: makes HOSTHEADERSALLOWED static in RequestHandler
1a05ed0919 is described below

commit 1a05ed091906304e01af8568d8bb9eb3c8ae1440
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Tue Feb 25 09:19:29 2025 +0100

    Improved: makes HOSTHEADERSALLOWED static in RequestHandler
---
 .../main/java/org/apache/ofbiz/webapp/control/RequestHandler.java  | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index d1aae320ce..d4d9a2c589 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -83,7 +83,7 @@ public class RequestHandler {
     private final URL controllerConfigURL;
     private final boolean trackServerHit;
     private final boolean trackVisit;
-    private final List<String> hostHeadersAllowed;
+    private static final List<String> HOSTHEADERSALLOWED = 
UtilMisc.getHostHeadersAllowed();
     private ControllerConfig ccfg;
 
     static class ControllerConfig {
@@ -169,9 +169,6 @@ public class RequestHandler {
 
         this.trackServerHit = 
!"false".equalsIgnoreCase(context.getInitParameter("track-serverhit"));
         this.trackVisit = 
!"false".equalsIgnoreCase(context.getInitParameter("track-visit"));
-
-        hostHeadersAllowed = UtilMisc.getHostHeadersAllowed();
-
     }
 
     public ConfigXMLReader.ControllerConfig getControllerConfig() {
@@ -240,7 +237,7 @@ public class RequestHandler {
     public void doRequest(HttpServletRequest request, HttpServletResponse 
response, String chain,
             GenericValue userLogin, Delegator delegator) throws 
RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {
 
-        if (!hostHeadersAllowed.contains(request.getServerName())) {
+        if (!HOSTHEADERSALLOWED.contains(request.getServerName())) {
             Debug.logError("Domain " + request.getServerName() + " not 
accepted to prevent host header injection."
                     + " You need to set host-headers-allowed property in 
security.properties file.", module);
             throw new RequestHandlerException("Domain " + 
request.getServerName() + " not accepted to prevent host header injection."

Reply via email to