NPE was occurred at WebUtils.isSameOrigin [SPR-14305]

[spring-projects-issues]

Kazuki Shimizu opened SPR-14305 and commented

NPE was occurred at the WebUtils.isSameOrigin when i access to a host (name) that supported by RFC 3986. In actually, i tried a host name include with "_". (e.g. http://spring_app/)

...
Caused by: java.lang.NullPointerException
	at org.springframework.web.util.WebUtils.isSameOrigin(WebUtils.java:816)
	at org.springframework.web.cors.DefaultCorsProcessor.processRequest(DefaultCorsProcessor.java:76)
	at org.springframework.web.servlet.handler.AbstractHandlerMapping$CorsInterceptor.preHandle(AbstractHandlerMapping.java:503)
	at org.springframework.web.servlet.HandlerExecutionChain.applyPreHandle(HandlerExecutionChain.java:134)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:956)

I will submit repro project on https://github.com/spring-projects/spring-framework-issues.

---

Affects: 4.2.6

Issue Links:

• DefaultCorsProcessor's origin comparison is restrictive and inefficient [SPR-14080] #18652 DefaultCorsProcessor's origin comparison is restrictive and inefficient

Referenced from: commits 9a41774, 6807bcb

[spring-projects-issues]

Kazuki Shimizu commented

I've submit the PR of repro project. see spring-attic/spring-framework-issues#130 .

[spring-projects-issues]

Rossen Stoyanchev commented

java.net.URI was never updated to support RFC 3986 it seems, see JDK-6791060 which is still open. The presence of "_" in the host results in the host parsed as authority and the host remains null, see 6587184.

This issue is actually fixed in 4.3 via #18652 where the URI constructor is bypassed. So we just need to backport the change in WebUtils#isSameOrigin.

[spring-projects-issues]

Kazuki Shimizu commented

I've confirmed to fix this issue at 4.3.RC2 !!