GTNPORTAL-3221 Login URL can be used to redirect to external sites

gatein · Nov 22, 2013 · ec0bec4 · ec0bec4
1 parent e4039fe
commit ec0bec4
Showing 1 changed file with 20 additions and 7 deletions.
diff --git a/component/web/security/src/main/java/org/exoplatform/web/login/LoginServlet.java b/component/web/security/src/main/java/org/exoplatform/web/login/LoginServlet.java
@@ -21,6 +21,8 @@
 
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import java.net.URI;
+import java.net.URISyntaxException;
 
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletException;
@@ -180,29 +182,40 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Se
         }
 
         // Obtain initial URI
-        String uri = req.getParameter("initialURI");
+        String initialURI = req.getParameter("initialURI");
 
         // Otherwise compute one
-        if (uri == null || uri.length() == 0) {
-            uri = req.getContextPath();
-            log.debug("No initial URI found, will use default " + uri + " instead ");
+        if (initialURI == null || initialURI.length() == 0) {
+            initialURI = req.getContextPath();
+            log.debug("No initial URI found, will use default " + initialURI + " instead ");
         } else {
-            log.debug("Found initial URI " + uri);
+            log.debug("Found initial URI " + initialURI);
+        }
+
+        try {
+            URI uri = new URI(initialURI);
+            if (uri.isAbsolute() && !(uri.getHost().equals(req.getServerName()))) {
+                log.warn("Cannot redirect to an URI outside of the current host when using a login redirect. Redirecting to the portal context path instead.");
+                initialURI = req.getContextPath();
+            }
+        } catch (URISyntaxException e) {
+            log.warn("Initial URI in login link is malformed. Redirecting to the portal context path instead.");
+            initialURI = req.getContextPath();
         }
 
         // Redirect to initialURI
         if (status == AUTHENTICATED) {
             // Response may be already committed in case of SAML or other SSO providers
             if (!resp.isCommitted()) {
-                resp.sendRedirect(resp.encodeRedirectURL(uri));
+                resp.sendRedirect(resp.encodeRedirectURL(initialURI));
             }
         } else {
             if (status == FAILED) {
                 req.setAttribute("org.gatein.portal.login.error", "whatever");
             }
 
             // Show login form or redirect to SSO url (/portal/sso) if SSO is enabled
-            req.setAttribute("org.gatein.portal.login.initial_uri", uri);
+            req.setAttribute("org.gatein.portal.login.initial_uri", initialURI);
             SSOHelper ssoHelper = (SSOHelper) getContainer().getComponentInstanceOfType(SSOHelper.class);
             if (ssoHelper.skipJSPRedirection()) {
                 String ssoRedirectUrl = req.getContextPath() + ssoHelper.getSSORedirectURLSuffix();