On 1 April 2011 15:49, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Ronald, > > On 3/31/2011 8:21 PM, Christopher Schultz wrote: >> On 3/31/2011 7:05 AM, Ronald Klop wrote: >>> I would say that some proper input validation solves your problem. >>> Does new URL(redirectURL).toString() give an exception on invalid url's? >> >> new URL(String) will throw a MalformedURLException if there are illegal >> characters in the URL. >> >> I suppose that's good enough for my purposes: the only returnURLs that >> should be generated should be coming from our own application, and if >> they are broken, it's a bug. If a MalformedURLException is thrown, it >> should be due to some sort of malicious use and the user is better off >> getting a nasty error than just about anything else. > > Apparently, it's more complicated than that... at least when it comes to > my particular application... we want to keep the URLs as short as > possible, they they are not fully-qualified in most cases. Instead, they > are webapp-relative and blindly passing them into the java.net.URL > constructor fails even for "real" URLs because they have no protocol.
I may be missing something here, but can't you use the ctor: URL(URL context, String spec) and pass in a dummy context with a suitable protocol? > Now, I could add code to fully-qualify them, but then I'd be doing work > I'm already asking the container to do for me (since > HttpServletResponse.sendRedirect is required to fully-qualify the URL > anyway) and I'd prefer to rely on the container for that task -- it's > likely to do a better job, anyway :) > > I think I'm doing to standardize on simply scanning for troublesome > characters like \r and \n and throwing a MalformedURLException or > something like that. > > If anyone else has any good ideas or Warnings about what might be a > naive sanitization check, I'd be glad to hear them. > > Thanks, > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk2V5gsACgkQ9CaO5/Lv0PBgfwCeOrioFeSvp8iUJ51a9qJqAny3 > 8QkAn0c12aRinn7eoGUoAgA2uYydVQA/ > =bwLF > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org