Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-18 10:02:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-1790: Reject redirect locations containing CR or LF.

Browse Source
This commit is contained in:
Luke Taylor 2011-07-27 16:47:15 +01:00
parent d5b72275e5
commit f5fbda42e5
4 changed files with 68 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -6,6 +6,7 @@ out/
*.ipr *.ipr
*.iml *.iml
*.iws *.iws
*.log
intellij/ intellij/
.settings .settings
.classpath .classpath

2
core/src/main/java/org/springframework/security/firewall/DefaultHttpFirewall.java
View File

@ -33,7 +33,7 @@ public class DefaultHttpFirewall implements HttpFirewall {
} }
public HttpServletResponse getFirewalledResponse(HttpServletResponse response) { public HttpServletResponse getFirewalledResponse(HttpServletResponse response) {
return response; return new FirewalledResponse(response);
} }
/** /**

26
core/src/main/java/org/springframework/security/firewall/FirewalledResponse.java Normal file
View File

@ -0,0 +1,26 @@
package org.springframework.security.firewall;
import javax.servlet.http.HttpServletResponseWrapper;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.regex.Pattern;
/**
* @author Luke Taylor
*/
class FirewalledResponse extends HttpServletResponseWrapper {
Pattern CR_OR_LF = Pattern.compile("\\r|\\n");
public FirewalledResponse(HttpServletResponse response) {
super(response);
}
public void sendRedirect(String location) throws IOException {
// TODO: implement pluggable validation, instead of simple blacklisting.
// SEC-1790. Prevent redirects containing CRLF
if (CR_OR_LF.matcher(location).find()) {
throw new IllegalArgumentException("Invalid characters (CR/LF) in redirect location");
}
super.sendRedirect(location);
}
}

6
core/src/main/java/org/springframework/security/ui/TargetUrlResolverImpl.java
View File

@ -28,7 +28,7 @@ import org.springframework.util.StringUtils;
/** /**
* Default implementation for {@link TargetUrlResolver} * Default implementation for {@link TargetUrlResolver}
* <p> * <p/>
* Returns a target URL based from the contents of the configured <tt>targetUrlParameter</tt> if present on * Returns a target URL based from the contents of the configured <tt>targetUrlParameter</tt> if present on
* the current request. Failing that, the SavedRequest in the session will be used. * the current request. Failing that, the SavedRequest in the session will be used.
* *
@ -36,7 +36,6 @@ import org.springframework.util.StringUtils;
* @author Luke Taylor * @author Luke Taylor
* @version $Id$ * @version $Id$
* @since 2.0 * @since 2.0
*
*/ */
public class TargetUrlResolverImpl implements TargetUrlResolver { public class TargetUrlResolverImpl implements TargetUrlResolver {
public static String DEFAULT_TARGET_PARAMETER = "spring-security-redirect"; public static String DEFAULT_TARGET_PARAMETER = "spring-security-redirect";
@ -94,7 +93,6 @@ public class TargetUrlResolverImpl implements TargetUrlResolver {
this.justUseSavedRequestOnGet = justUseSavedRequestOnGet; this.justUseSavedRequestOnGet = justUseSavedRequestOnGet;
} }
/** /**
* Before checking the SavedRequest, the current request will be checked for this parameter * Before checking the SavedRequest, the current request will be checked for this parameter
* and the value used as the target URL if resent. * and the value used as the target URL if resent.
@ -103,7 +101,7 @@ public class TargetUrlResolverImpl implements TargetUrlResolver {
* to "redirect". * to "redirect".
*/ */
public void setTargetUrlParameter(String targetUrlParameter) { public void setTargetUrlParameter(String targetUrlParameter) {
Assert.hasText("targetUrlParamete canot be null or empty"); Assert.hasText("targetUrlParameter cannot be null or empty");
this.targetUrlParameter = targetUrlParameter; this.targetUrlParameter = targetUrlParameter;
} }
} }