cziegeler opened a new pull request, #28:
URL: https://github.com/apache/sling-org-apache-sling-auth-core/pull/28

   Hardens the redirect handling in both `DefaultAuthenticationFeedbackHandler` 
and `DefaultJakartaAuthenticationFeedbackHandler` against open-redirect attacks 
and log-injection vulnerabilities.
   
   **Changes:**
   - Restrict `sendRedirect` to relative paths only (must start with `/` and 
not contain `://`); falls back to `/` for any external or protocol-relative URL
   - Add `sanitizeForLog()` helper that escapes CR (`\r`) and LF (`\n`) 
characters to prevent log injection
   - Apply `sanitizeForLog()` to all redirect-target values before passing them 
to logger calls
   - Switch error log concatenation to SLF4J parameterized logging (`{}` 
placeholder) for consistency and safety
   
   Co-authored-by: Maia <maia@noreply>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to