You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by en...@apache.org on 2021/06/21 16:27:22 UTC
[sling-org-apache-sling-auth-core] branch master updated:
SLING-10166 Fix vulnerabilities reported by Sonar
This is an automated email from the ASF dual-hosted git repository.
enorman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-core.git
The following commit(s) were added to refs/heads/master by this push:
new f4c23cd SLING-10166 Fix vulnerabilities reported by Sonar
f4c23cd is described below
commit f4c23cdae8065616daa1eff09f2e82a41c0e6212
Author: Eric Norman <en...@apache.org>
AuthorDate: Mon Jun 21 09:27:10 2021 -0700
SLING-10166 Fix vulnerabilities reported by Sonar
Change the code to not log user-controlled data
---
src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java | 4 ++--
src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java b/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java
index c78ac3c..175d185 100644
--- a/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java
+++ b/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java
@@ -82,8 +82,8 @@ public class LoginServlet extends SlingAllMethodsServlet {
if (isSelf(resourcePath)) {
String redirectTarget = request.getContextPath() + "/";
log.warn(
- "doGet: Redirecting to {} to prevent login loop for resource {}",
- redirectTarget, resourcePath);
+ "doGet: Redirecting to {} to prevent login loop for resource",
+ redirectTarget);
response.sendRedirect(redirectTarget);
return;
}
diff --git a/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java b/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
index d362da4..c21e23c 100644
--- a/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
+++ b/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
@@ -1375,7 +1375,7 @@ public class SlingAuthenticator implements Authenticator,
// falling back to the request context path (or /) if not set or invalid
String target = AuthUtil.getLoginResource(request, request.getContextPath());
if (!AuthUtil.isRedirectValid(request, target)) {
- log.warn("redirectAfterLogout: Desired redirect target '{}' is invalid; redirecting to '/'", target);
+ log.warn("redirectAfterLogout: Desired redirect target is invalid; redirecting to '/'");
target = request.getContextPath() + "/";
}