You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by as...@apache.org on 2017/12/15 07:01:11 UTC
[sling-org-apache-sling-auth-core] branch master updated: SLING-7243 - Improve validation in AuthUtil.isRedirectValid

This is an automated email from the ASF dual-hosted git repository.

asanso pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-core.git


The following commit(s) were added to refs/heads/master by this push:
     new 015fe58  SLING-7243 - Improve validation in AuthUtil.isRedirectValid
015fe58 is described below

commit 015fe58b22e0625e9d88b687de50303db539482b
Author: Antonio Sanso <as...@adobe.com>
AuthorDate: Fri Dec 15 08:00:53 2017 +0100

    SLING-7243 - Improve validation in AuthUtil.isRedirectValid
---
 src/main/java/org/apache/sling/auth/core/AuthUtil.java     | 9 +++++++++
 src/test/java/org/apache/sling/auth/core/AuthUtilTest.java | 2 ++
 2 files changed, 11 insertions(+)

diff --git a/src/main/java/org/apache/sling/auth/core/AuthUtil.java b/src/main/java/org/apache/sling/auth/core/AuthUtil.java
index a06f6c0..771b8f8 100644
--- a/src/main/java/org/apache/sling/auth/core/AuthUtil.java
+++ b/src/main/java/org/apache/sling/auth/core/AuthUtil.java
@@ -21,6 +21,8 @@ package org.apache.sling.auth.core;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.net.URLEncoder;
 import java.util.HashMap;
@@ -455,6 +457,13 @@ public final class AuthUtil {
             getLog().warn("isRedirectValid: Redirect target must not be empty or null");
             return false;
         }
+        
+        try {
+            new URI(target);
+        } catch (URISyntaxException e) {
+            getLog().warn("isRedirectValid: Redirect target '{}' contains illegal characters", target);
+            return false;
+        }
 
         if (target.contains("://")) {
             getLog().warn("isRedirectValid: Redirect target '{}' must not be an URL", target);
diff --git a/src/test/java/org/apache/sling/auth/core/AuthUtilTest.java b/src/test/java/org/apache/sling/auth/core/AuthUtilTest.java
index 87d8fcb..92c86dc 100644
--- a/src/test/java/org/apache/sling/auth/core/AuthUtilTest.java
+++ b/src/test/java/org/apache/sling/auth/core/AuthUtilTest.java
@@ -83,6 +83,8 @@ public class AuthUtilTest {
         TestCase.assertFalse(AuthUtil.isRedirectValid(request, "/illegal/>/x"));
         TestCase.assertFalse(AuthUtil.isRedirectValid(request, "/illegal/'/x"));
         TestCase.assertFalse(AuthUtil.isRedirectValid(request, "/illegal/\"/x"));
+        TestCase.assertFalse(AuthUtil.isRedirectValid(request, "/illegal/\n"));
+        TestCase.assertFalse(AuthUtil.isRedirectValid(request, "/illegal/\r"));
     }
 
     @Test

-- 
To stop receiving notification emails like this one, please contact
['"commits@sling.apache.org" <co...@sling.apache.org>'].