Fix NPE in UrlUtils with null url

Fixes gh-4233

web/src/main/java/org/springframework/security/web/util/UrlUtils.java

@@ -129,7 +129,7 @@ public final class UrlUtils {
 	 * Returns true if the supplied URL starts with a "/" or is absolute.
 	 */
 	public static boolean isValidRedirectUrl(String url) {
-		return url != null && url.startsWith("/") || isAbsoluteUrl(url);
+		return url != null && (url.startsWith("/") || isAbsoluteUrl(url));
 	}
 
 	/**
@@ -137,6 +137,9 @@ public final class UrlUtils {
 	 * defined in RFC 1738.
 	 */
 	public static boolean isAbsoluteUrl(String url) {
+		if(url == null) {
+			return false;
+		}
 		final Pattern ABSOLUTE_URL = Pattern.compile("\\A[a-z0-9.+-]+://.*",
 				Pattern.CASE_INSENSITIVE);
 

web/src/test/java/org/springframework/security/web/util/UrlUtilsTests.java

@@ -35,4 +35,24 @@ public class UrlUtilsTests {
 		assertThat(UrlUtils.isAbsoluteUrl("zz+zz.zz-zz://something/")).isTrue();
 	}
 
+	@Test
+	public void isAbsoluteUrlWhenNullThenFalse() {
+		assertThat(UrlUtils.isAbsoluteUrl(null)).isFalse();
+	}
+
+	@Test
+	public void isAbsoluteUrlWhenEmptyThenFalse() {
+		assertThat(UrlUtils.isAbsoluteUrl("")).isFalse();
+	}
+
+	@Test
+	public void isValidRedirectUrlWhenNullThenFalse() {
+		assertThat(UrlUtils.isValidRedirectUrl(null)).isFalse();
+	}
+
+	@Test
+	public void isValidRedirectUrlWhenEmptyThenFalse() {
+		assertThat(UrlUtils.isValidRedirectUrl("")).isFalse();
+	}
+
 }