SEC-1255: Target-URL after successfull login differes from original URL, when it was encoded according to RFC 3986 #1507

Closed
spring-issuemaster opened this Issue Oct 1, 2009 · 1 comment

1 participant

@spring-issuemaster

Kai Moritz (Migrated from SEC-1255) said:

Suppose a secured URL, that containes a special character (like '?'), which must be endoded according to RFC 3986.
Example: "/sevletname/foo%3Fbar.html", where "%3F" encodes the "?".

After an successfull login the URL is rebuild by org.springframework.security.util.UrlUtils.
But UrlUtils builds up the full URL from its decoded parts, so that the rebuild URL becomes something like "http://HOSTNAME:PORT/servletname/foo?bar.html", which is not encoded correctly, thus resulting in a 404-Error.

I suggest using the Request-URI, which is not decoded by the Servlet and contains - as far as I know, everything after the "http://HOSTNAME:PORT" up to the Query-String.
That URI is not decoded by the Servlet, thus, the rebuild full URL would be still valid.

Encoding the rebuild URL would not work, becaus all special characters (like contained slashes for example) would be encoded than, which is, as far as I know, not correct.

@spring-issuemaster

Luke Taylor said:

Thanks for the report. I've modified the URL building for redirects to use the requestURI to ensure it remains encoded. The path matching URLs will still be decoded (i.e. those used for comparison with paths in intercept-url etc).

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment