[
https://issues.apache.org/jira/browse/SLING-2360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger resolved SLING-2360.
--------------------------------------
Resolution: Fixed
Improve redirect path validity test in Rev. 1232389
- target must start with servlet context path
- target minus servlet context path must be absolute
- accept target resolving to an existing resource
- check target for illegal characters if no resource resolver is available
or if it does not resolve to an existing resource
- add more unit tests
> AuthUtil.isRedirectValid makes wrong assumptions
> ------------------------------------------------
>
> Key: SLING-2360
> URL: https://issues.apache.org/jira/browse/SLING-2360
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Auth Core 1.1.0
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Auth Core 1.1.0
>
>
> The isRedirectValid method is assumed to be present to (a) not redirect
> outside of the scope of the Sling Web Container (by preventing absolute URLs
> to validate) and (b) not contain XSS strings (by checking the target with the
> request's resource resolver).
> The second part is flawed, though:
> * Completely ignores request context path
> * Uses resource resolve to validate path (and assume side-effect support of
> being XSS
> clean if a resource exists)
> * Doesn't really check for XSS violations if no resource resolver exists
> We should not check with the resource resolver but implement some
> light-weight string checks with sensitive characters like <, >, ', and "
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
