You are viewing a plain text version of this content. The canonical link for it is here.

Posted to pluto-dev@portals.apache.org by pablo <pa...@gmail.com> on 2008/11/19 12:30:03 UTC

Possible bug in redirect handling by StateAwareResponseImpl

Hi there,

I'd like you to confirm that the following is actually an issue.

In StateAwareResponseImpl<http://svn.apache.org/viewvc/portals/pluto/trunk/pluto-container/src/main/java/org/apache/pluto/internal/impl/StateAwareResponseImpl.java?view=markup>
#sendRedirect, the ResourceURLProvider is updated with the absolute or
relative URL of the redirect address. Then the URL is encoded and stored in
the variable location, and this is checked:

if (location.indexOf("/") == -1)
  throw new IllegalArgumentException("There is a relative path given, an
IllegalArgumentException must be thrown.");

However, I think it should be:

if (location.indexOf("*://*") == -1)
  throw new IllegalArgumentException("There is a relative path given, an
IllegalArgumentException must be thrown.");

Because relative URLs, such as "foo/bar", can have the character "/", so the
exception wouldn't be thrown for them.

Is that correct? How should I proceed to fix it?

Thanks,

Pablo

Re: Possible bug in redirect handling by StateAwareResponseImpl

Posted by David Sean Taylor <da...@bluesunrise.com>.

On Nov 19, 2008, at 3:30 AM, pablo wrote:

> Hi there,
>
> I'd like you to confirm that the following is actually an issue.
>
> In StateAwareResponseImpl#sendRedirect, the ResourceURLProvider is  
> updated with the absolute or relative URL of the redirect address.  
> Then the URL is encoded and stored in the variable location, and  
> this is checked:
>
> if (location.indexOf("/") == -1)
>   throw new IllegalArgumentException("There is a relative path  
> given, an IllegalArgumentException must be thrown.");
>
> However, I think it should be:
>
> if (location.indexOf("://") == -1)
>   throw new IllegalArgumentException("There is a relative path  
> given, an IllegalArgumentException must be thrown.");
>
> Because relative URLs, such as "foo/bar", can have the character  
> "/", so the exception wouldn't be thrown for them.
>
> Is that correct? How should I proceed to fix it?
>
It is supposed to look for either a fully qualified URL or a full path  
URL. As stated in the 2.0 specification, "If a relative path URL is  
given, an IlegalArgumentException must be thrown" -- PLT 12.3.1 25

So I guess it could say startsWith instead of indexOf