From 7cf37856c0b06775469bf0dea907bee8280b2a31 Mon Sep 17 00:00:00 2001
From: Maciej Zasada <maciek.zasada@gmail.com>
Date: Wed, 12 Jun 2013 16:04:15 +0200
Subject: [PATCH] SEC-2177: Striping off all leading schemes

Striping off all leading schemes in the DefaultRedirectStrategy, so it
will be less vulnerable to open redirect phishing attacks. More info can
be found at SEC-2177 JIRA issue.
---
 .../security/web/DefaultRedirectStrategy.java       |  5 +++--
 .../security/web/DefaultRedirectStrategyTests.java  | 13 +++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java b/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java
index 2c0d8ae0f3..c9a8f48dde 100644
--- a/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java
+++ b/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java
@@ -54,8 +54,9 @@ public class DefaultRedirectStrategy implements RedirectStrategy {
             return url;
         }
 
-        // Calculate the relative URL from the fully qualified URL, minus the scheme and base context.
-        url = url.substring(url.indexOf("://") + 3); // strip off scheme
+        // Calculate the relative URL from the fully qualified URL, minus the last
+        // occurrence of the scheme and base context.
+        url = url.substring(url.lastIndexOf("://") + 3); // strip off scheme
         url = url.substring(url.indexOf(contextPath) + contextPath.length());
 
         if (url.length() > 1 && url.charAt(0) == '/') {
diff --git a/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java b/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java
index b91edff2d0..864957196e 100644
--- a/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java
+++ b/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java
@@ -24,4 +24,17 @@ public class DefaultRedirectStrategyTests {
 
         assertEquals("remainder", response.getRedirectedUrl());
     }
+
+    @Test
+    public void contextRelativeUrlWithMultipleSchemesInHostnameIsHandledCorrectly() throws Exception {
+        DefaultRedirectStrategy rds = new DefaultRedirectStrategy();
+        rds.setContextRelative(true);
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setContextPath("/context");
+        MockHttpServletResponse response = new MockHttpServletResponse();
+
+        rds.sendRedirect(request, response, "http://http://context.blah.com/context/remainder");
+
+        assertEquals("remainder", response.getRedirectedUrl());
+    }
 }