https://bz.apache.org/bugzilla/show_bug.cgi?id=63939
Bug ID: 63939
Summary: CORS filter incorrectly implements same/local origin
check
Product: Tomcat 9
Version: 9.0.x
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -----
I believe
org.apache.catalina.filters.CorsFilter.isLocalOrigin(HttpServletRequest,
String) has two bugs:
One note upfront, I believe this method should be renamed to isSameOrigin() to
use the same term as with the Fetch Standard.
Bug 1: When Origin contains a standard port Tomcat does not take that into
account and omits the default port from target, .e.g.,
> curl -X OPTIONS -H "Origin: https://fqdn:443";
vs.
> curl -X OPTIONS -H "Origin: https://fqdn";
both result in different responses.
The root cause is here:
https://github.com/apache/tomcat/blob/master/java/org/apache/catalina/filters/CorsFilter.java#L656-L663
As far as I understand https://url.spec.whatwg.org/#concept-url-port, the
default port for the specific protocol has to be used within the comparison.
Bug 2: at the very end "origin.equalsIgnoreCase(target.toString());" is
performed while isOriginAllowed() performs a case-sensitive comparision as
documented here:
https://www.w3.org/TR/access-control/#resource-preflight-requests
This seems to be inconsistent.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
