You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shindig.apache.org by et...@apache.org on 2008/02/27 00:05:55 UTC

svn commit: r631422 - /incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java

Author: etnu
Date: Tue Feb 26 15:05:53 2008
New Revision: 631422

URL: http://svn.apache.org/viewvc?rev=631422&view=rev
Log:
Added protocol validation to GadgetRenderingServlet to prevent redirection exploits and potential problems with RemoteContentFetcher implementations that allow file system access.


Modified:
    incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java

Modified: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java?rev=631422&r1=631421&r2=631422&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java Tue Feb 26 15:05:53 2008
@@ -94,6 +94,12 @@
       return;
     }
 
+    if (!"http".equals(uri.getScheme()) && !"https".equals(uri.getScheme())) {
+      resp.sendError(HttpServletResponse.SC_BAD_REQUEST,
+                     "Unsupported scheme (must be http or https).");
+      return;
+    }
+
     if (!validateParent(req)) {
       logger.info("Invalid parent");
       resp.sendError(HttpServletResponse.SC_BAD_REQUEST,