From 8f6d0977fc7d731db2b36b8a95f092168859afe3 Mon Sep 17 00:00:00 2001 From: Shang Yehua Date: Tue, 24 Sep 2019 21:38:26 +0800 Subject: [PATCH] Add an option to ignore or not the http header "Origin" Add an parameter to decide whether or not to keep the header "Origin". If the target server does not support CORS and the request has an "Origin", a failure will happen. When ignore the "Origin" item, everything will be just fine. --- README.md | 1 + .../mitre/dsmiley/httpproxy/ProxyServlet.java | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/README.md b/README.md index bcc0b2d4..ac519732 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,7 @@ The following is a list of parameters that can be configured + log: A boolean parameter name to enable logging of input and target URLs to the servlet log. + forwardip: A boolean parameter name to enable forwarding of the client IP + preserveHost: A boolean parameter name to keep HOST parameter as-is ++ preserveOrigin: A boolean parameter name to keep Origin parameter as-is + preserveCookies: A boolean parameter name to keep COOKIES as-is + http.protocol.handle-redirects: A boolean parameter name to have auto-handle redirects + http.socket.timeout: A integer parameter name to set the socket connection timeout (millis) diff --git a/src/main/java/org/mitre/dsmiley/httpproxy/ProxyServlet.java b/src/main/java/org/mitre/dsmiley/httpproxy/ProxyServlet.java index 3e55f282..9af0ee8c 100644 --- a/src/main/java/org/mitre/dsmiley/httpproxy/ProxyServlet.java +++ b/src/main/java/org/mitre/dsmiley/httpproxy/ProxyServlet.java @@ -81,6 +81,9 @@ public class ProxyServlet extends HttpServlet { /** A boolean parameter name to keep HOST parameter as-is */ public static final String P_PRESERVEHOST = "preserveHost"; + /** A boolean parameter name to keep Origin parameter as-is */ + public static final String P_PRESERVEORIGIN = "preserveOrigin"; + /** A boolean parameter name to keep COOKIES as-is */ public static final String P_PRESERVECOOKIES = "preserveCookies"; @@ -109,6 +112,8 @@ public class ProxyServlet extends HttpServlet { protected static final String ATTR_TARGET_HOST = ProxyServlet.class.getSimpleName() + ".targetHost"; + public static final String ATTR_HTTP_HEADER_ORIGIN = "Origin"; + /* MISC */ protected boolean doLog = false; @@ -116,6 +121,7 @@ public class ProxyServlet extends HttpServlet { /** User agents shouldn't send the url fragment but what if it does? */ protected boolean doSendUrlFragment = true; protected boolean doPreserveHost = false; + protected boolean doPreserveOrigin = true; protected boolean doPreserveCookies = false; protected boolean doHandleRedirects = false; protected boolean useSystemProperties = true; @@ -172,6 +178,11 @@ public void init() throws ServletException { this.doPreserveHost = Boolean.parseBoolean(preserveHostString); } + String preserveOriginString = getConfigParam(P_PRESERVEORIGIN); + if (preserveOriginString != null) { + this.doPreserveOrigin = Boolean.parseBoolean(preserveOriginString); + } + String preserveCookiesString = getConfigParam(P_PRESERVECOOKIES); if (preserveCookiesString != null) { this.doPreserveCookies = Boolean.parseBoolean(preserveCookiesString); @@ -457,6 +468,12 @@ protected void copyRequestHeader(HttpServletRequest servletRequest, HttpRequest if (hopByHopHeaders.containsHeader(headerName)) return; + // In case the target server does not support CORS, + // just ignore the "Origin" to make the work done. + if(!doPreserveOrigin && ATTR_HTTP_HEADER_ORIGIN.equalsIgnoreCase(headerName)){ + return; + } + @SuppressWarnings("unchecked") Enumeration headers = servletRequest.getHeaders(headerName); while (headers.hasMoreElements()) {//sometimes more than one value