SEC-1772: Unneeded URL decode in SimpleUrlLogoutSuccessHandler #2006

Closed
spring-issuemaster opened this Issue Jun 27, 2011 · 1 comment

1 participant

@spring-issuemaster

Mikhail Mazursky (Migrated from SEC-1772) said:

URLDecoder.decode(targetUrl, "UTF-8") call is not needed in org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler and it breaks URLs with GET parameters escaped in them.

p.s. also isUseReferer() is missing.

@spring-issuemaster

Luke Taylor said:

I've removed the decoding. This was part of the patch for SEC-213, which was related to CAS proxying. I'm not sure if there was a valid reason for it then, but CAS proxying no longer requires redirects, so it no longer seems necessary in any case.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC3 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment