Fix CookieRequestCache for URL encoded query parameters
Avoid populating the saved request parameters with encoded values. Since the query strings of the request and saved URL are compared and must be equal, we can just use the parameters from the incoming request. Closes gh-9203
This commit is contained in:
parent
8b71d213f9
commit
1d96579265
|
@ -17,7 +17,6 @@
|
||||||
package org.springframework.security.web.savedrequest;
|
package org.springframework.security.web.savedrequest;
|
||||||
|
|
||||||
import java.util.Base64;
|
import java.util.Base64;
|
||||||
import java.util.HashMap;
|
|
||||||
|
|
||||||
import javax.servlet.http.Cookie;
|
import javax.servlet.http.Cookie;
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
@ -79,11 +78,6 @@ public class CookieRequestCache implements RequestCache {
|
||||||
DefaultSavedRequest.Builder builder = new DefaultSavedRequest.Builder();
|
DefaultSavedRequest.Builder builder = new DefaultSavedRequest.Builder();
|
||||||
int port = getPort(uriComponents);
|
int port = getPort(uriComponents);
|
||||||
MultiValueMap<String, String> queryParams = uriComponents.getQueryParams();
|
MultiValueMap<String, String> queryParams = uriComponents.getQueryParams();
|
||||||
if (!queryParams.isEmpty()) {
|
|
||||||
HashMap<String, String[]> parameters = new HashMap<>(queryParams.size());
|
|
||||||
queryParams.forEach((key, value) -> parameters.put(key, value.toArray(new String[] {})));
|
|
||||||
builder.setParameters(parameters);
|
|
||||||
}
|
|
||||||
return builder.setScheme(uriComponents.getScheme()).setServerName(uriComponents.getHost())
|
return builder.setScheme(uriComponents.getScheme()).setServerName(uriComponents.getHost())
|
||||||
.setRequestURI(uriComponents.getPath()).setQueryString(uriComponents.getQuery()).setServerPort(port)
|
.setRequestURI(uriComponents.getPath()).setQueryString(uriComponents.getQuery()).setServerPort(port)
|
||||||
.setMethod(request.getMethod()).build();
|
.setMethod(request.getMethod()).build();
|
||||||
|
|
|
@ -153,6 +153,25 @@ public class CookieRequestCacheTests {
|
||||||
assertThat(expiredCookie).isNull();
|
assertThat(expiredCookie).isNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void matchingRequestWhenUrlEncodedQueryParametersThenDoesNotDuplicate() {
|
||||||
|
CookieRequestCache cookieRequestCache = new CookieRequestCache();
|
||||||
|
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||||
|
request.setServerPort(443);
|
||||||
|
request.setSecure(true);
|
||||||
|
request.setScheme("https");
|
||||||
|
request.setServerName("abc.com");
|
||||||
|
request.setRequestURI("/destination");
|
||||||
|
request.setQueryString("goto=https%3A%2F%2Fstart.spring.io");
|
||||||
|
request.setParameter("goto", "https://start.spring.io");
|
||||||
|
String redirectUrl = "https://abc.com/destination?goto=https%3A%2F%2Fstart.spring.io";
|
||||||
|
request.setCookies(new Cookie(DEFAULT_COOKIE_NAME, encodeCookie(redirectUrl)));
|
||||||
|
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||||
|
final HttpServletRequest matchingRequest = cookieRequestCache.getMatchingRequest(request, response);
|
||||||
|
assertThat(matchingRequest).isNotNull();
|
||||||
|
assertThat(matchingRequest.getParameterValues("goto")).containsExactly("https://start.spring.io");
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void removeRequestWhenInvokedThenSetsAnExpiredCookieOnResponse() {
|
public void removeRequestWhenInvokedThenSetsAnExpiredCookieOnResponse() {
|
||||||
CookieRequestCache cookieRequestCache = new CookieRequestCache();
|
CookieRequestCache cookieRequestCache = new CookieRequestCache();
|
||||||
|
|
Loading…
Reference in New Issue