You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by as...@apache.org on 2017/12/15 07:01:11 UTC
[sling-org-apache-sling-auth-core] branch master updated:
SLING-7243 - Improve validation in AuthUtil.isRedirectValid
This is an automated email from the ASF dual-hosted git repository.
asanso pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-core.git
The following commit(s) were added to refs/heads/master by this push:
new 015fe58 SLING-7243 - Improve validation in AuthUtil.isRedirectValid
015fe58 is described below
commit 015fe58b22e0625e9d88b687de50303db539482b
Author: Antonio Sanso <as...@adobe.com>
AuthorDate: Fri Dec 15 08:00:53 2017 +0100
SLING-7243 - Improve validation in AuthUtil.isRedirectValid
---
src/main/java/org/apache/sling/auth/core/AuthUtil.java | 9 +++++++++
src/test/java/org/apache/sling/auth/core/AuthUtilTest.java | 2 ++
2 files changed, 11 insertions(+)
diff --git a/src/main/java/org/apache/sling/auth/core/AuthUtil.java b/src/main/java/org/apache/sling/auth/core/AuthUtil.java
index a06f6c0..771b8f8 100644
--- a/src/main/java/org/apache/sling/auth/core/AuthUtil.java
+++ b/src/main/java/org/apache/sling/auth/core/AuthUtil.java
@@ -21,6 +21,8 @@ package org.apache.sling.auth.core;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLEncoder;
import java.util.HashMap;
@@ -455,6 +457,13 @@ public final class AuthUtil {
getLog().warn("isRedirectValid: Redirect target must not be empty or null");
return false;
}
+
+ try {
+ new URI(target);
+ } catch (URISyntaxException e) {
+ getLog().warn("isRedirectValid: Redirect target '{}' contains illegal characters", target);
+ return false;
+ }
if (target.contains("://")) {
getLog().warn("isRedirectValid: Redirect target '{}' must not be an URL", target);
diff --git a/src/test/java/org/apache/sling/auth/core/AuthUtilTest.java b/src/test/java/org/apache/sling/auth/core/AuthUtilTest.java
index 87d8fcb..92c86dc 100644
--- a/src/test/java/org/apache/sling/auth/core/AuthUtilTest.java
+++ b/src/test/java/org/apache/sling/auth/core/AuthUtilTest.java
@@ -83,6 +83,8 @@ public class AuthUtilTest {
TestCase.assertFalse(AuthUtil.isRedirectValid(request, "/illegal/>/x"));
TestCase.assertFalse(AuthUtil.isRedirectValid(request, "/illegal/'/x"));
TestCase.assertFalse(AuthUtil.isRedirectValid(request, "/illegal/\"/x"));
+ TestCase.assertFalse(AuthUtil.isRedirectValid(request, "/illegal/\n"));
+ TestCase.assertFalse(AuthUtil.isRedirectValid(request, "/illegal/\r"));
}
@Test
--
To stop receiving notification emails like this one, please contact
['"commits@sling.apache.org" <co...@sling.apache.org>'].