You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by cz...@apache.org on 2013/10/01 14:08:05 UTC
svn commit: r1528062 -
/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java
Author: cziegeler
Date: Tue Oct 1 12:08:05 2013
New Revision: 1528062
URL: http://svn.apache.org/r1528062
Log:
SLING-3141 : AbstractAuthenticationFormServlet should make sure resource is a valid redirect
Modified:
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java?rev=1528062&r1=1528061&r2=1528062&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java Tue Oct 1 12:08:05 2013
@@ -130,15 +130,49 @@ public abstract class AbstractAuthentica
throws IOException {
String form = getRawForm();
- form = form.replace("${resource}", escapeXml(getResource(request)));
- form = form.replace("${j_reason}", escapeXml(getReason(request)));
- form = form.replace("${requestContextPath}", escapeXml(getContextPath(request)));
- form = form.replace("${contextPath}", escapeXml(request.getContextPath()));
+ final String resource = cleanse(request, getResource(request));
+ final String reason = getReason(request);
+ final String resourceContextPath = cleanse(request, getContextPath(request));
+ final String contextPath = request.getContextPath();
+
+ // replace form placeholders with checked and filtered values
+ form = form.replace("${resource}", escape(resource));
+ form = form.replace("${j_reason}", escape(reason));
+ form = form.replace("${requestContextPath}", escape(resourceContextPath));
+ form = form.replace("${contextPath}", escape(contextPath));
return form;
}
- private static String escapeXml(final String input) {
+ /**
+ * Makes sure the given {@code target} is not pointing to some absolute
+ * location outside of the given {@code request} context. If so, the target
+ * must be ignored and an empty string is returned.
+ * <p>
+ * This method uses the
+ * {@link AuthUtil#isRedirectValid(HttpServletRequest, String)} method.
+ *
+ * @param request The {@code HttpServletRequest} to test the {@code target}
+ * against.
+ * @param target The target location (URL) to test for validity.
+ * @return The target location if not pointing outside of the current
+ * request or an empty string.
+ */
+ private static String cleanse(final HttpServletRequest request, final String target) {
+ if (target.length() > 0 && !AuthUtil.isRedirectValid(request, target)) {
+ return "";
+ }
+ return target;
+ }
+
+ /**
+ * Escape the output.
+ * This method does a simple XML escaping for '<', '>' and '&'
+ * and also escapes single and double quotes.
+ * As these characters should never occur in a url this encoding should
+ * be fine.
+ */
+ private static String escape(final String input) {
if (input == null) {
return null;
}
@@ -148,10 +182,14 @@ public abstract class AbstractAuthentica
final char c = input.charAt(i);
if(c == '&') {
b.append("&");
- } else if(c == '<') {
+ } else if (c == '<') {
b.append("<");
- } else if(c == '>') {
+ } else if (c == '>') {
b.append(">");
+ } else if (c == '"') {
+ b.append("%22");
+ } else if (c == '\'') {
+ b.append("%27");
} else {
b.append(c);
}