dhis2-devs team mailing list archive

Thread
Date

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 17848: minor lockdown on allowed headers/methods for CORS filter

To: DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
From: noreply@xxxxxxxxxxxxx
Date: Tue, 30 Dec 2014 21:23:25 -0000
Reply-to: noreply@xxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

------------------------------------------------------------
revno: 17848
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Tue 2014-12-30 22:22:26 +0100
message:
  minor lockdown on allowed headers/methods for CORS filter
modified:
  dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/CorsFilter.java


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription

=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/CorsFilter.java'
--- dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/CorsFilter.java	2014-12-30 20:02:19 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/CorsFilter.java	2014-12-30 21:22:26 +0000
@@ -59,6 +59,10 @@
 
     public static final String CORS_REQUEST_METHOD = "Access-Control-Request-Method";
 
+    private static final String ALLOWED_METHODS = "GET, OPTIONS";
+
+    private static final String ALLOWED_HEADERS = "Accept, Content-Type, Authorization, X-Requested-With";
+
     @Override
     public void doFilter( ServletRequest req, ServletResponse res, FilterChain filterChain ) throws IOException, ServletException
     {
@@ -68,11 +72,13 @@
         String origin = request.getHeader( "Origin" );
         origin = !StringUtils.isEmpty( origin ) ? origin : "*";
 
-        String exposeHeaders = request.getHeader( CORS_REQUEST_HEADERS );
-        exposeHeaders = !StringUtils.isEmpty( exposeHeaders ) ? exposeHeaders : "accept authorization";
+        // String exposeHeaders = request.getHeader( CORS_REQUEST_HEADERS );
+        // exposeHeaders = !StringUtils.isEmpty( exposeHeaders ) ? exposeHeaders : "accept authorization";
+        String exposeHeaders = ALLOWED_HEADERS;
 
-        String allowMethods = request.getHeader( CORS_REQUEST_METHOD );
-        allowMethods = !StringUtils.isEmpty( allowMethods ) ? allowMethods : "GET, POST, PUT, DELETE, OPTIONS";
+        // String allowMethods = request.getHeader( CORS_REQUEST_METHOD );
+        // allowMethods = !StringUtils.isEmpty( allowMethods ) ? allowMethods : "GET, POST, PUT, DELETE, OPTIONS";
+        String allowMethods = ALLOWED_METHODS;
 
         response.addHeader( CORS_ALLOW_CREDENTIALS, "true" );
         response.addHeader( CORS_ALLOW_ORIGIN, origin );