Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-03-30 14:08:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '7.0.x'

Browse Source
This commit is contained in:
Josh Cummings 2026-03-25 15:20:07 -06:00
commit 0606ff152b
2 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java
View File

@ -113,9 +113,14 @@ public abstract class AbstractAuthenticationTargetUrlRequestHandler {
trace("Using url %s from request parameter %s", targetUrlParameterValue, this.targetUrlParameter);
return targetUrlParameterValue;
}
String refererHeader = request.getHeader("Referer");
if (!StringUtils.hasText(refererHeader)) {
return this.defaultTargetUrl;
}
if (this.useReferer) {
trace("Using url %s from Referer header", request.getHeader("Referer"));
return request.getHeader("Referer");
trace("Using url %s from Referer header", refererHeader);
return refererHeader;
}
return this.defaultTargetUrl;
}

8
web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandlerTests.java
View File

@ -114,4 +114,12 @@ public class AbstractAuthenticationTargetUrlRequestHandlerTests {
assertThatIllegalArgumentException().isThrownBy(() -> this.handler.setRedirectStrategy(null));
}
// gh-18805
@Test
void returnDefaultUrlIfUseRefererIsTrueAndRefererHeaderIsEmpty() {
this.handler.setUseReferer(true);
this.request.addHeader("Referer", "");
assertThat(this.handler.determineTargetUrl(this.request, this.response)).isEqualTo(DEFAULT_TARGET_URL);
}
}