AuthUtil.isRedirectValid makes wrong assumptions
------------------------------------------------
Key: SLING-2360
URL: https://issues.apache.org/jira/browse/SLING-2360
Project: Sling
Issue Type: Bug
Components: Authentication
Affects Versions: Auth Core 1.1.0
Reporter: Felix Meschberger
Assignee: Felix Meschberger
Fix For: Auth Core 1.1.0
The isRedirectValid method is assumed to be present to (a) not redirect outside
of the scope of the Sling Web Container (by preventing absolute URLs to
validate) and (b) not contain XSS strings (by checking the target with the
request's resource resolver).
The second part is flawed, though:
* Completely ignores request context path
* Uses resource resolve to validate path (and assume side-effect support of
being XSS
clean if a resource exists)
* Doesn't really check for XSS violations if no resource resolver exists
We should not check with the resource resolver but implement some light-weight
string checks with sensitive characters like <, >, ', and "
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
