You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by et...@apache.org on 2008/02/27 00:05:55 UTC
svn commit: r631422 -
/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java
Author: etnu
Date: Tue Feb 26 15:05:53 2008
New Revision: 631422
URL: http://svn.apache.org/viewvc?rev=631422&view=rev
Log:
Added protocol validation to GadgetRenderingServlet to prevent redirection exploits and potential problems with RemoteContentFetcher implementations that allow file system access.
Modified:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java
Modified: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java?rev=631422&r1=631421&r2=631422&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java Tue Feb 26 15:05:53 2008
@@ -94,6 +94,12 @@
return;
}
+ if (!"http".equals(uri.getScheme()) && !"https".equals(uri.getScheme())) {
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST,
+ "Unsupported scheme (must be http or https).");
+ return;
+ }
+
if (!validateParent(req)) {
logger.info("Invalid parent");
resp.sendError(HttpServletResponse.SC_BAD_REQUEST,