SEC-1328: RedirectUtils/DefaultRedirectStrategy contextRelative redirect doesn't account for url like http://context.xyz.com/context #1574

Closed
spring-issuemaster opened this Issue Dec 15, 2009 · 2 comments

1 participant

@spring-issuemaster

Hal Deadman (Migrated from SEC-1328) said:

Unfortunately in our production URL the hostname starts with same string as the context so the code that searches for the context in order to strip off everything before it finds the first occurance and leaves a chunk of URL (since the slash from the protocol helps match the slash in the context).

The current code does this:
int len = request.getContextPath().length();
int index = url.indexOf(request.getContextPath()) + len;
finalUrl = url.substring(index);

I fixed it by doing:
url = url.replaceFirst(".*://", ""); // strip off protocol
int len = request.getContextPath().length();
int index = url.indexOf(request.getContextPath()) + len;
finalUrl = url.substring(index);

Since I am using spring-security-2.0.5 the only way I can fix is by copying the class and modifying it in my project to override the one in the jar. I suppose in Spring 3.0 I will be able to create my own RedirectStrategy. I know this probably will only ever impact me but I hope it is worth fixing.

Thanks.

@spring-issuemaster

Luke Taylor said:

Thanks for the report. Seems like a common enough situation that it is worth fixing.

@spring-issuemaster

Luke Taylor said:

Should be fixed in trunk. I've basically followed your suggestion of stripping off the protocol up to "://"

@spring-issuemaster spring-issuemaster added this to the 3.0.0 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment