10 gadi atpakaļ · 478a9650aa
--- a/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java
+++ b/web/src/main/java/org/springframework/security/web/util/matcher/AntPathRequestMatcher.java
@@ -122,7 +122,7 @@ public final class AntPathRequestMatcher implements RequestMatcher {
 
				      *    {@code servletPath} + {@code pathInfo} of the request.
			
 
				      */
			
 
				     public boolean matches(HttpServletRequest request) {
			
 
				-        if (httpMethod != null && request.getMethod() != null && httpMethod != HttpMethod.valueOf(request.getMethod())) {
			
 
				+        if (httpMethod != null && request.getMethod() != null && httpMethod != valueOf(request.getMethod())) {
			
 
				             if (logger.isDebugEnabled()) {
			
 
				                 logger.debug("Request '" + request.getMethod() + " " + getRequestPath(request) + "'"
			
 
				                         + " doesn't match '" + httpMethod  + " " + pattern);
			
@@ -201,6 +201,21 @@ public final class AntPathRequestMatcher implements RequestMatcher {
 
				         return sb.toString();
			
 
				     }
			
 
				 
			
 
				+    /**
			
 
				+     * Provides a save way of obtaining the HttpMethod from a String. If the method is invalid, returns null.
			
 
				+     *
			
 
				+     * @param method the HTTP method to use.
			
 
				+     *
			
 
				+     * @return the HttpMethod or null if method is invalid.
			
 
				+     */
			
 
				+    private static HttpMethod valueOf(String method) {
			
 
				+        try {
			
 
				+            return HttpMethod.valueOf(method);
			
 
				+        } catch(IllegalArgumentException e) {}
			
 
				+
			
 
				+        return null;
			
 
				+    }
			
 
				+
			
 
				     private static interface Matcher {
			
 
				         boolean matches(String path);
			
 
				     }
			
--- a/web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.java
+++ b/web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.java
@@ -75,7 +75,7 @@ public final class RegexRequestMatcher implements RequestMatcher {
 
				      * @return true if the pattern matches the URL, false otherwise.
			
 
				      */
			
 
				     public boolean matches(HttpServletRequest request) {
			
 
				-        if (httpMethod != null && request.getMethod() != null && httpMethod != HttpMethod.valueOf(request.getMethod())) {
			
 
				+        if (httpMethod != null && request.getMethod() != null && httpMethod != valueOf(request.getMethod())) {
			
 
				             return false;
			
 
				         }
			
 
				 
			
@@ -102,4 +102,20 @@ public final class RegexRequestMatcher implements RequestMatcher {
 
				 
			
 
				         return pattern.matcher(url).matches();
			
 
				     }
			
 
				+
			
 
				+
			
 
				+    /**
			
 
				+     * Provides a save way of obtaining the HttpMethod from a String. If the method is invalid, returns null.
			
 
				+     *
			
 
				+     * @param method the HTTP method to use.
			
 
				+     *
			
 
				+     * @return the HttpMethod or null if method is invalid.
			
 
				+     */
			
 
				+    private static HttpMethod valueOf(String method) {
			
 
				+        try {
			
 
				+            return HttpMethod.valueOf(method);
			
 
				+        } catch(IllegalArgumentException e) {}
			
 
				+
			
 
				+        return null;
			
 
				+    }
			
 
				 }
			
--- a/web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java
+++ b/web/src/test/java/org/springframework/security/web/util/matcher/AntPathRequestMatcherTests.java
@@ -151,6 +151,16 @@ public class AntPathRequestMatcherTests {
 
				         new AntPathRequestMatcher("/blah", "GET").toString();
			
 
				     }
			
 
				 
			
 
				+    // SEC-2831
			
 
				+    @Test
			
 
				+    public void matchesWithInvalidMethod() {
			
 
				+        AntPathRequestMatcher matcher = new AntPathRequestMatcher("/blah", "GET");
			
 
				+        MockHttpServletRequest request = createRequest("/blah");
			
 
				+        request.setMethod("INVALID");
			
 
				+
			
 
				+        assertThat(matcher.matches(request)).isFalse();
			
 
				+    }
			
 
				+
			
 
				     private HttpServletRequest createRequestWithNullMethod(String path) {
			
 
				         when(request.getQueryString()).thenReturn("doesntMatter");
			
 
				         when(request.getServletPath()).thenReturn(path);
			
--- a/web/src/test/java/org/springframework/security/web/util/matcher/RegexRequestMatcherTests.java
+++ b/web/src/test/java/org/springframework/security/web/util/matcher/RegexRequestMatcherTests.java
@@ -12,6 +12,7 @@
 
				  */
			
 
				 package org.springframework.security.web.util.matcher;
			
 
				 
			
 
				+import static org.fest.assertions.Assertions.assertThat;
			
 
				 import static org.junit.Assert.assertFalse;
			
 
				 import static org.junit.Assert.assertTrue;
			
 
				 import static org.mockito.Mockito.when;
			
@@ -94,6 +95,16 @@ public class RegexRequestMatcherTests {
 
				         assertFalse(matcher.matches(request));
			
 
				     }
			
 
				 
			
 
				+    // SEC-2831
			
 
				+    @Test
			
 
				+    public void matchesWithInvalidMethod() {
			
 
				+        RegexRequestMatcher matcher = new RegexRequestMatcher("/blah", "GET");
			
 
				+        MockHttpServletRequest request = new MockHttpServletRequest("INVALID","/blah");
			
 
				+        request.setMethod("INVALID");
			
 
				+
			
 
				+        assertThat(matcher.matches(request)).isFalse();
			
 
				+    }
			
 
				+
			
 
				     private HttpServletRequest createRequestWithNullMethod(String path) {
			
 
				         when(request.getQueryString()).thenReturn("doesntMatter");
			
 
				         when(request.getServletPath()).thenReturn(path);