in openmeetings-service/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java [114:167]
public boolean isValidRequest(HttpServletRequest request) {
if (disabled) {
return true;
} else if (!"POST".equals(request.getMethod())) {
// protection only needed for POST
return true;
} else {
Enumeration<String> cts = (Enumeration<String>) request.getHeaders("Content-Type");
String ct = null;
if (cts != null && cts.hasMoreElements()) {
String t = cts.nextElement();
// prune parameters
int semicolon = t.indexOf(';');
if (semicolon >= 0) {
t = t.substring(0, semicolon);
}
ct = t.trim().toLowerCase(Locale.ENGLISH);
}
if (cts != null && cts.hasMoreElements()) {
// reject if there are more header field instances
log.debug("request blocked because there were multiple content-type header fields");
return false;
}
if (ct != null && !CONTENT_TYPES.contains(ct)) {
// type present and not in blacklist
return true;
}
String refHeader = request.getHeader("Referer");
// empty referrer headers are not allowed for POST + relevant
// content types (see JCR-3909)
if (refHeader == null) {
log.debug("POST with content type " + ct + " blocked due to missing referer header field");
return false;
}
try {
String host = new URI(refHeader).getHost();
// test referrer-host equals server or
// if it is contained in the set of explicitly allowed host
// names
boolean ok = host == null || host.equals(request.getServerName()) || allowedReferrerHosts.contains(host);
if (!ok) {
log.debug("POST with content type " + ct + " blocked due to referer header field being: " + refHeader);
}
return ok;
} catch (URISyntaxException ex) {
// referrer malformed -> block access
log.debug("POST with content type " + ct + " blocked due to malformed referer header field: " + refHeader);
return false;
}
}
}