package org.apache.jackrabbit.webdav.util;

import com.google.common.net.HttpHeaders;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Locale;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.fileupload.FileUploadBase;
import org.apache.http.client.utils.URLEncodedUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/jackrabbit-webdav-2.15.5.jar:org/apache/jackrabbit/webdav/util/CSRFUtil.class */
public class CSRFUtil {
    public static final String DISABLED = "disabled";
    public static final Set<String> CONTENT_TYPES = Collections.unmodifiableSet(new HashSet(Arrays.asList(URLEncodedUtils.CONTENT_TYPE, FileUploadBase.MULTIPART_FORM_DATA, "text/plain")));
    private static final Logger log = LoggerFactory.getLogger(CSRFUtil.class);
    private final boolean disabled;
    private final Set<String> allowedReferrerHosts;

    public CSRFUtil(String str) {
        if (str == null || str.length() == 0) {
            this.disabled = false;
            this.allowedReferrerHosts = Collections.emptySet();
            log.debug("CSRF protection disabled");
            return;
        }
        if ("disabled".equalsIgnoreCase(str.trim())) {
            this.disabled = true;
            this.allowedReferrerHosts = Collections.emptySet();
        } else {
            this.disabled = false;
            String[] split = str.split(",");
            this.allowedReferrerHosts = new HashSet(split.length);
            for (String str2 : split) {
                this.allowedReferrerHosts.add(str2.trim());
            }
        }
        log.debug("CSRF protection enabled, allowed referrers: " + this.allowedReferrerHosts);
    }

    public boolean isValidRequest(HttpServletRequest httpServletRequest) {
        if (this.disabled || !"POST".equals(httpServletRequest.getMethod())) {
            return true;
        }
        Enumeration headers = httpServletRequest.getHeaders("Content-Type");
        String str = null;
        if (headers != null && headers.hasMoreElements()) {
            String str2 = (String) headers.nextElement();
            int indexOf = str2.indexOf(59);
            if (indexOf >= 0) {
                str2 = str2.substring(0, indexOf);
            }
            str = str2.trim().toLowerCase(Locale.ENGLISH);
        }
        if (headers != null && headers.hasMoreElements()) {
            log.debug("request blocked because there were multiple content-type header fields");
            return false;
        }
        if (str != null && !CONTENT_TYPES.contains(str)) {
            return true;
        }
        String header = httpServletRequest.getHeader(HttpHeaders.REFERER);
        if (header == null) {
            log.debug("POST with content type " + str + " blocked due to missing referer header field");
            return false;
        }
        try {
            String host = new URI(header).getHost();
            boolean z = host == null || host.equals(httpServletRequest.getServerName()) || this.allowedReferrerHosts.contains(host);
            if (!z) {
                log.debug("POST with content type " + str + " blocked due to referer header field being: " + header);
            }
            return z;
        } catch (URISyntaxException e) {
            log.debug("POST with content type " + str + " blocked due to malformed referer header field: " + header);
            return false;
        }
    }
}
