[DS-4133] Improve URL handling in Controlled Vocab JSPUI servlet

DSpace · Jan 14, 2022 · f775845 · f775845
1 parent e196e74
commit f775845
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/dspace-jspui/src/main/java/org/dspace/app/webui/servlet/ControlledVocabularyServlet.java b/dspace-jspui/src/main/java/org/dspace/app/webui/servlet/ControlledVocabularyServlet.java
@@ -14,6 +14,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.log4j.Logger;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.core.Context;
 
@@ -25,8 +26,8 @@
  */
 public class ControlledVocabularyServlet extends DSpaceServlet
 {
-    // private static Logger log =
-    // Logger.getLogger(ControlledVocabularyServlet.class);
+    private static Logger log =
+    Logger.getLogger(ControlledVocabularyServlet.class);
 
     protected void doDSGet(Context context, HttpServletRequest request,
             HttpServletResponse response) throws ServletException, IOException,
@@ -37,6 +38,13 @@ protected void doDSGet(Context context, HttpServletRequest request,
         String filter = "";
         String callerUrl = request.getParameter("callerUrl");
 
+        // callerUrl must starts with URL outside DSpace request context path
+        if(!callerUrl.startsWith(request.getContextPath())) {
+            log.error("Controlled vocabulary caller URL would result in redirect outside DSpace web app: " + callerUrl + ". Rejecting request with 400 Bad Request.");
+            response.sendError(400, "The caller URL must be within the DSpace base URL of " + request.getContextPath());
+            return;
+        }
+
         if (request.getParameter("ID") != null)
         {
             ID = request.getParameter("ID");