org.apache.jackrabbit.webdav.util.CSRFUtil Maven / Gradle / Ivy
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.jackrabbit.webdav.util;
import org.apache.jackrabbit.webdav.DavMethods;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.http.HttpServletRequest;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
/**
* CSRFUtil...
*/
public class CSRFUtil {
/**
* Constant used to
*/
public static final String DISABLED = "disabled";
/**
* Request content types for CSRF checking, see JCR-3909
*/
public static final Set CONTENT_TYPES = Collections.unmodifiableSet(new HashSet(
Arrays.asList(
new String[] {
"application/x-www-form-urlencoded",
"multipart/form-data",
"text/plain"
}
)
));
/**
* logger instance
*/
private static final Logger log = LoggerFactory.getLogger(CSRFUtil.class);
/**
* Disable referrer based CSRF protection
*/
private final boolean disabled;
/**
* Additional allowed referrer hosts for CSRF protection
*/
private final Set allowedReferrerHosts;
/**
* Creates a new instance from the specified configuration, which defines
* the behaviour of the referrer based CSRF protection as follows:
*
* - If config is
null or empty string the default
* behaviour is to allow only requests with an empty referrer header or a
* referrer host equal to the server host
* - A comma separated list of additional allowed referrer hosts which are
* valid in addition to default behaviour (see above).
* - The value {@link #DISABLED} may be used to disable the referrer checking altogether
*
*
* @param config The configuration value which may be any of the following:
*
* null or empty string for the default behaviour, which
* only allows requests with an empty referrer header or a
* referrer host equal to the server host- A comma separated list of additional allowed referrer hosts which are
* valid in addition to default behaviour (see above).
* - {@link #DISABLED} in order to disable the referrer checking altogether
*
*/
public CSRFUtil(String config) {
if (config == null || config.length() == 0) {
disabled = false;
allowedReferrerHosts = Collections.emptySet();
} else {
if (DISABLED.equalsIgnoreCase(config.trim())) {
disabled = true;
allowedReferrerHosts = Collections.emptySet();
} else {
disabled = false;
String[] allowed = config.split(",");
allowedReferrerHosts = new HashSet(allowed.length);
for (String entry : allowed) {
allowedReferrerHosts.add(entry.trim());
}
}
}
}
public boolean isValidRequest(HttpServletRequest request) throws MalformedURLException {
int methodCode = DavMethods.getMethodCode(request.getMethod());
if (disabled || DavMethods.DAV_POST != methodCode || !CONTENT_TYPES.contains(request.getContentType())) {
return true;
} else {
String refHeader = request.getHeader("Referer");
// empty referrer headers are not allowed for POST + relevant content types (see JCR-3909)
if (refHeader == null) {
return false;
}
String host = new URL(refHeader).getHost();
// test referrer-host equals server or
// if it is contained in the set of explicitly allowed host names
return host.equals(request.getServerName()) || allowedReferrerHosts.contains(host);
}
}
} © 2015 - 2025 Weber Informatics LLC | Privacy Policy