Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1772: Unneeded URL decode in SimpleUrlLogoutSuccessHandler #2006

spring-issuemaster opened this Issue Jun 27, 2011 · 1 comment


None yet
1 participant

Mikhail Mazursky (Migrated from SEC-1772) said:

URLDecoder.decode(targetUrl, "UTF-8") call is not needed in org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler and it breaks URLs with GET parameters escaped in them.

p.s. also isUseReferer() is missing.

Luke Taylor said:

I've removed the decoding. This was part of the patch for SEC-213, which was related to CAS proxying. I'm not sure if there was a valid reason for it then, but CAS proxying no longer requires redirects, so it no longer seems necessary in any case.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC3 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment