Source code

001/*
002 * ====================================================================
003 * Licensed to the Apache Software Foundation (ASF) under one
004 * or more contributor license agreements.  See the NOTICE file
005 * distributed with this work for additional information
006 * regarding copyright ownership.  The ASF licenses this file
007 * to you under the Apache License, Version 2.0 (the
008 * "License"); you may not use this file except in compliance
009 * with the License.  You may obtain a copy of the License at
010 *
011 *   http://www.apache.org/licenses/LICENSE-2.0
012 *
013 * Unless required by applicable law or agreed to in writing,
014 * software distributed under the License is distributed on an
015 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
016 * KIND, either express or implied.  See the License for the
017 * specific language governing permissions and limitations
018 * under the License.
019 * ====================================================================
020 *
021 * This software consists of voluntary contributions made by many
022 * individuals on behalf of the Apache Software Foundation.  For more
023 * information on the Apache Software Foundation, please see
024 * <http://www.apache.org/>.
025 *
026 */
027package org.apache.http.impl.cookie;
028
029import java.util.Map;
030import java.util.concurrent.ConcurrentHashMap;
031
032import org.apache.http.annotation.Contract;
033import org.apache.http.annotation.ThreadingBehavior;
034import org.apache.http.conn.util.PublicSuffixList;
035import org.apache.http.conn.util.PublicSuffixMatcher;
036import org.apache.http.cookie.CommonCookieAttributeHandler;
037import org.apache.http.cookie.Cookie;
038import org.apache.http.cookie.CookieOrigin;
039import org.apache.http.cookie.MalformedCookieException;
040import org.apache.http.cookie.SetCookie;
041import org.apache.http.util.Args;
042
043/**
044 * Wraps a {@link org.apache.http.cookie.CookieAttributeHandler} and leverages its match method
045 * to never match a suffix from a black list. May be used to provide additional security for
046 * cross-site attack types by preventing cookies from apparent domains that are not publicly
047 * available.
048 *
049 *  @see org.apache.http.conn.util.PublicSuffixList
050 *  @see org.apache.http.conn.util.PublicSuffixMatcher
051 *
052 * @since 4.4
053 */
054@Contract(threading = ThreadingBehavior.IMMUTABLE_CONDITIONAL)
055public class PublicSuffixDomainFilter implements CommonCookieAttributeHandler {
056
057    private final CommonCookieAttributeHandler handler;
058    private final PublicSuffixMatcher publicSuffixMatcher;
059    private final Map<String, Boolean> localDomainMap;
060
061    private static Map<String, Boolean> createLocalDomainMap() {
062        final ConcurrentHashMap<String, Boolean> map = new ConcurrentHashMap<String, Boolean>();
063        map.put(".localhost.", Boolean.TRUE);  // RFC 6761
064        map.put(".test.", Boolean.TRUE);       // RFC 6761
065        map.put(".local.", Boolean.TRUE);      // RFC 6762
066        map.put(".local", Boolean.TRUE);
067        map.put(".localdomain", Boolean.TRUE);
068        return map;
069    }
070
071    public PublicSuffixDomainFilter(
072            final CommonCookieAttributeHandler handler, final PublicSuffixMatcher publicSuffixMatcher) {
073        this.handler = Args.notNull(handler, "Cookie handler");
074        this.publicSuffixMatcher = Args.notNull(publicSuffixMatcher, "Public suffix matcher");
075        this.localDomainMap = createLocalDomainMap();
076    }
077
078    public PublicSuffixDomainFilter(
079            final CommonCookieAttributeHandler handler, final PublicSuffixList suffixList) {
080        Args.notNull(handler, "Cookie handler");
081        Args.notNull(suffixList, "Public suffix list");
082        this.handler = handler;
083        this.publicSuffixMatcher = new PublicSuffixMatcher(suffixList.getRules(), suffixList.getExceptions());
084        this.localDomainMap = createLocalDomainMap();
085    }
086
087    /**
088     * Never matches if the cookie's domain is from the blacklist.
089     */
090    @Override
091    public boolean match(final Cookie cookie, final CookieOrigin origin) {
092        final String host = cookie.getDomain();
093        final int i = host.indexOf('.');
094        if (i >= 0) {
095            final String domain = host.substring(i);
096            if (!this.localDomainMap.containsKey(domain)) {
097                if (this.publicSuffixMatcher.matches(host)) {
098                    return false;
099                }
100            }
101        } else {
102            if (!host.equalsIgnoreCase(origin.getHost())) {
103                if (this.publicSuffixMatcher.matches(host)) {
104                    return false;
105                }
106            }
107        }
108        return handler.match(cookie, origin);
109    }
110
111    @Override
112    public void parse(final SetCookie cookie, final String value) throws MalformedCookieException {
113        handler.parse(cookie, value);
114    }
115
116    @Override
117    public void validate(final Cookie cookie, final CookieOrigin origin) throws MalformedCookieException {
118        handler.validate(cookie, origin);
119    }
120
121    @Override
122    public String getAttributeName() {
123        return handler.getAttributeName();
124    }
125
126    public static CommonCookieAttributeHandler decorate(
127            final CommonCookieAttributeHandler handler, final PublicSuffixMatcher publicSuffixMatcher) {
128        Args.notNull(handler, "Cookie attribute handler");
129        return publicSuffixMatcher != null ? new PublicSuffixDomainFilter(handler, publicSuffixMatcher) : handler;
130    }
131
132}