From 9057fbe0ed83221dc0f0e06007fc744a8dc81a73 Mon Sep 17 00:00:00 2001
From: Maciej Zasada <maciek.zasada@gmail.com>
Date: Wed, 12 Jun 2013 16:04:15 +0200
Subject: [PATCH] SEC-2177: Striping off all leading schemes

Striping off all leading schemes in the DefaultRedirectStrategy, so it
will be less vulnerable to open redirect phishing attacks. More info can
be found at SEC-2177 JIRA issue.
---
 .../security/web/DefaultRedirectStrategy.java       |  5 +++--
 .../security/web/DefaultRedirectStrategyTests.java  | 13 +++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java b/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java
index 2c0d8ae0f3..c9a8f48dde 100644
--- a/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java
+++ b/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java
@@ -54,8 +54,9 @@ public class DefaultRedirectStrategy implements RedirectStrategy {
             return url;
         }
 
-        // Calculate the relative URL from the fully qualified URL, minus the scheme and base context.
-        url = url.substring(url.indexOf("://") + 3); // strip off scheme
+        // Calculate the relative URL from the fully qualified URL, minus the last
+        // occurrence of the scheme and base context.
+        url = url.substring(url.lastIndexOf("://") + 3); // strip off scheme
         url = url.substring(url.indexOf(contextPath) + contextPath.length());
 
         if (url.length() > 1 && url.charAt(0) == '/') {
diff --git a/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java b/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java
index b91edff2d0..864957196e 100644
--- a/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java
+++ b/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java
@@ -24,4 +24,17 @@ public class DefaultRedirectStrategyTests {
 
         assertEquals("remainder", response.getRedirectedUrl());
     }
+
+    @Test
+    public void contextRelativeUrlWithMultipleSchemesInHostnameIsHandledCorrectly() throws Exception {
+        DefaultRedirectStrategy rds = new DefaultRedirectStrategy();
+        rds.setContextRelative(true);
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setContextPath("/context");
+        MockHttpServletResponse response = new MockHttpServletResponse();
+
+        rds.sendRedirect(request, response, "http://http://context.blah.com/context/remainder");
+
+        assertEquals("remainder", response.getRedirectedUrl());
+    }
 }