[gatein-commits] gatein SVN: r8055 - portal/trunk/component/web/security/src/main/java/org/exoplatform/web/login.
do-not-reply at jboss.org
do-not-reply at jboss.org
Mon Nov 14 14:19:40 EST 2011
Author: mwringe
Date: 2011-11-14 14:19:40 -0500 (Mon, 14 Nov 2011)
New Revision: 8055
Modified:
portal/trunk/component/web/security/src/main/java/org/exoplatform/web/login/DoLoginServlet.java
Log:
GTNPORTAL-2269: only allow initial URI login redirects to locations on the same server.
Modified: portal/trunk/component/web/security/src/main/java/org/exoplatform/web/login/DoLoginServlet.java
===================================================================
--- portal/trunk/component/web/security/src/main/java/org/exoplatform/web/login/DoLoginServlet.java 2011-11-14 11:04:23 UTC (rev 8054)
+++ portal/trunk/component/web/security/src/main/java/org/exoplatform/web/login/DoLoginServlet.java 2011-11-14 19:19:40 UTC (rev 8055)
@@ -27,6 +27,8 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
/**
* @author <a href="mailto:julien.viet at exoplatform.com">Julien Viet</a>
@@ -42,11 +44,27 @@
{
String initialURI = req.getParameter("initialURI");
log.debug("Performing the do login send redirect with initialURI=" + initialURI + " and remoteUser=" + req.getRemoteUser());
+
if (initialURI == null || initialURI.length() == 0)
{
initialURI = req.getContextPath();
}
+ try
+ {
+ URI uri = new URI(initialURI);
+ if (uri.isAbsolute() && !(uri.getHost().equals(req.getServerName())))
+ {
+ log.warn("Cannot redirect to an URI outside of the current host when using a login redirect. Redirecting to the portal context path instead.");
+ initialURI = req.getContextPath();
+ }
+ }
+ catch (URISyntaxException e)
+ {
+ log.warn("Initial URI in login link is malformed. Redirecting to the portal context path instead.");
+ initialURI = req.getContextPath();
+ }
+
//
resp.sendRedirect(resp.encodeRedirectURL(initialURI));
}
More information about the gatein-commits
mailing list