[
https://issues.apache.org/jira/browse/WW-4187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13757600#comment-13757600
]
Michiel Toneman commented on WW-4187:
-------------------------------------
Wouldn't the correct solution be to stop messing with indexOf, regexes and
incorrect assumptions and properly parse the URL into its components, e.g.:
http://docs.oracle.com/javase/tutorial/networking/urls/urlInfo.html
Then we can take the appropriate action based on getProtocol(), getHost()
etc... There is a computational cost to this, but since the shortcuts taken
have already caused so much breakage (this issue as well as the linked issue),
it would make sense to fix this properly.
> ServletRedirectResult only works with a limited set of hardcoded URL protocols
> ------------------------------------------------------------------------------
>
> Key: WW-4187
> URL: https://issues.apache.org/jira/browse/WW-4187
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.14.1, 2.3.14.2,
> 2.3.14.3, 2.3.15.1
> Reporter: Michiel Toneman
> Fix For: 2.3.17
>
>
> The isPathUrl(String url) implementation was changed from:
> {code:java}
> return (url.indexOf(':') == -1);
> {code}
> to:
> {code:java}
> return !url.startsWith("http:")
> && !url.startsWith("https:")
> && !url.startsWith("mailto:";)
> && !url.startsWith("file:")
> && !url.startsWith("ftp:");
> {code}
> This breaks integrations which require a redirect in (e.g.) a mobile app for
> iOS which often use custom protocols such as myapp://
> There are also numerous valid / common protocols which are not in this list.
> The result of this change is that redirects to such URLs are treated as local
> redirects (paths), rather than absolute redirects.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
