You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by en...@apache.org on 2021/06/21 16:27:22 UTC

[sling-org-apache-sling-auth-core] branch master updated: SLING-10166 Fix vulnerabilities reported by Sonar

This is an automated email from the ASF dual-hosted git repository.

enorman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-core.git


The following commit(s) were added to refs/heads/master by this push:
     new f4c23cd  SLING-10166 Fix vulnerabilities reported by Sonar
f4c23cd is described below

commit f4c23cdae8065616daa1eff09f2e82a41c0e6212
Author: Eric Norman <en...@apache.org>
AuthorDate: Mon Jun 21 09:27:10 2021 -0700

    SLING-10166 Fix vulnerabilities reported by Sonar
    
    Change the code to not log user-controlled data
---
 src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java       | 4 ++--
 src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java b/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java
index c78ac3c..175d185 100644
--- a/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java
+++ b/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java
@@ -82,8 +82,8 @@ public class LoginServlet extends SlingAllMethodsServlet {
             if (isSelf(resourcePath)) {
                 String redirectTarget = request.getContextPath() + "/";
                 log.warn(
-                    "doGet: Redirecting to {} to prevent login loop for resource {}",
-                    redirectTarget, resourcePath);
+                    "doGet: Redirecting to {} to prevent login loop for resource",
+                    redirectTarget);
                 response.sendRedirect(redirectTarget);
                 return;
             }
diff --git a/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java b/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
index d362da4..c21e23c 100644
--- a/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
+++ b/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
@@ -1375,7 +1375,7 @@ public class SlingAuthenticator implements Authenticator,
         // falling back to the request context path (or /) if not set or invalid
         String target = AuthUtil.getLoginResource(request, request.getContextPath());
         if (!AuthUtil.isRedirectValid(request, target)) {
-            log.warn("redirectAfterLogout: Desired redirect target '{}' is invalid; redirecting to '/'", target);
+            log.warn("redirectAfterLogout: Desired redirect target is invalid; redirecting to '/'");
             target = request.getContextPath() + "/";
         }