From 18fb22c7a944848bd812ece924eba6296cf187b6 Mon Sep 17 00:00:00 2001
From: Daniel Gerhardt <code@dgerhardt.net>
Date: Tue, 5 Jul 2016 15:59:27 +0200
Subject: [PATCH] Remove flawed CORS implementation

The implementation (introduced by
2084f33a8c4d0d0931e92f6e0b88373ba667c157) was to permissive and posed a
security risk. As a consequence, cross origin requests requiring client
authentication are no longer possible.
---
 .../java/de/thm/arsnova/web/CorsFilter.java   | 29 -------------------
 src/main/webapp/WEB-INF/web.xml               | 10 -------
 2 files changed, 39 deletions(-)
 delete mode 100644 src/main/java/de/thm/arsnova/web/CorsFilter.java

diff --git a/src/main/java/de/thm/arsnova/web/CorsFilter.java b/src/main/java/de/thm/arsnova/web/CorsFilter.java
deleted file mode 100644
index fc2e55f3..00000000
--- a/src/main/java/de/thm/arsnova/web/CorsFilter.java
+++ /dev/null
@@ -1,29 +0,0 @@
-package de.thm.arsnova.web;
-
-import java.io.IOException;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.springframework.stereotype.Component;
-import org.springframework.web.filter.OncePerRequestFilter;
-
-@Component
-public class CorsFilter extends OncePerRequestFilter {
-
-	@Override
-	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
-			throws ServletException, IOException {
-		response.addHeader("Access-Control-Allow-Credentials", "true");
-		response.addHeader("Access-Control-Allow-Methods", "GET");
-		response.addHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Requested-With");
-
-		if (request.getHeader("origin") != null) {
-			response.addHeader("Access-Control-Allow-Origin", request.getHeader("origin"));
-		}
-
-		filterChain.doFilter(request, response);
-	}
-}
diff --git a/src/main/webapp/WEB-INF/web.xml b/src/main/webapp/WEB-INF/web.xml
index 9c71a5a4..073123ba 100644
--- a/src/main/webapp/WEB-INF/web.xml
+++ b/src/main/webapp/WEB-INF/web.xml
@@ -61,16 +61,6 @@
 		<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
 	</listener>
 
-	<filter>
-		<filter-name>corsFilter</filter-name>
-		<filter-class>de.thm.arsnova.web.CorsFilter</filter-class>
-		<async-supported>true</async-supported>
-	</filter>
-	<filter-mapping>
-		<filter-name>corsFilter</filter-name>
-		<url-pattern>/*</url-pattern>
-	</filter-mapping>
-
 	<mime-mapping>
 		<extension>manifest</extension>
 		<mime-type>text/cache-manifest</mime-type>
-- 
GitLab