Author: etnu
Date: Tue Feb 26 15:05:53 2008
New Revision: 631422
URL: http://svn.apache.org/viewvc?rev=631422&view=rev
Log:
Added protocol validation to GadgetRenderingServlet to prevent redirection
exploits and potential problems with RemoteContentFetcher implementations that
allow file system access.
Modified:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java
Modified:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java?rev=631422&r1=631421&r2=631422&view=diff
==============================================================================
---
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java
(original)
+++
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/http/GadgetRenderingServlet.java
Tue Feb 26 15:05:53 2008
@@ -94,6 +94,12 @@
return;
}
+ if (!"http".equals(uri.getScheme()) && !"https".equals(uri.getScheme())) {
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST,
+ "Unsupported scheme (must be http or https).");
+ return;
+ }
+
if (!validateParent(req)) {
logger.info("Invalid parent");
resp.sendError(HttpServletResponse.SC_BAD_REQUEST,
