[SLING-2360] AuthUtil.isRedirectValid makes wrong assumptions - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Auth Core 1.1.0
Fix Version/s: Auth Core 1.1.0
Component/s: Authentication
Labels:
None

Description

The isRedirectValid method is assumed to be present to (a) not redirect outside of the scope of the Sling Web Container (by preventing absolute URLs to validate) and (b) not contain XSS strings (by checking the target with the request's resource resolver).

The second part is flawed, though:

Completely ignores request context path
Uses resource resolve to validate path (and assume side-effect support of being XSS
clean if a resource exists)
Doesn't really check for XSS violations if no resource resolver exists

We should not check with the resource resolver but implement some light-weight string checks with sensitive characters like <, >, ', and "

Attachments

Activity

People

Assignee:: Felix Meschberger

Reporter:: Felix Meschberger

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 12/Jan/12 09:26

Updated:: 30/Nov/12 17:56

Resolved:: 17/Jan/12 11:35