Hi Carsten, I have opened SLING-2870 and opened a pull request [0] with the patch. One thing to note is that some "exotic" chars used in the java regex such as '*' are valid uris chars [1], thus those should be escaped for backward if the patch is applied.
Regards, Timothee. [0] https://github.com/apache/sling/pull/6 [1] http://www.ietf.org/rfc/rfc2396.txt 2013/5/13 Carsten Ziegeler <[email protected]> > Hi Timothée, > > Sounds reasonable, can you create a Jira issue and maybe provide a patch? > > Thanks > Carsten > > > 2013/5/13 Jeff Young <[email protected]> > > > +1 > > > > > -----Original Message----- > > > From: [email protected] [mailto:[email protected]] On > > Behalf Of > > > Timothée Maret > > > Sent: 13 May 2013 11:09 > > > To: [email protected] > > > Subject: Support allowed hosts patterns in ReferrerFilter > > > > > > Hi, > > > > > > The current "allow.hosts" setting of the ReferrerFilter can be > configured > > > with a list of trusted hosts. > > > In a setup where the list of allowed hosts is expending as the > > application > > > runs, it becomes tricky to keep the configuration in sync. > > > As an example, a service which supports wilcard uris such as <userId>. > > > my.service.com would be required to modify the reference filter > > > configuration for each user which is hardly doable. > > > > > > Thus, I would propose to support regex patterns for the list of > > > "allow.hosts". which would still be secure. > > > > > > The example above would be configured as: > > > allow.hosts=*.my.service.com > > > > > > wdyt ? > > > > > > Regards, > > > > > > Timothee. > > > > > > -- > Carsten Ziegeler > [email protected] > -- Timothée Maret
