SEC-2177: Striping off all leading schemes
Striping off all leading schemes in the DefaultRedirectStrategy, so it will be less vulnerable to open redirect phishing attacks. More info can be found at SEC-2177 JIRA issue.
This commit is contained in:
@@ -24,4 +24,17 @@ public class DefaultRedirectStrategyTests {
|
||||
|
||||
assertEquals("remainder", response.getRedirectedUrl());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void contextRelativeUrlWithMultipleSchemesInHostnameIsHandledCorrectly() throws Exception {
|
||||
DefaultRedirectStrategy rds = new DefaultRedirectStrategy();
|
||||
rds.setContextRelative(true);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.setContextPath("/context");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
|
||||
rds.sendRedirect(request, response, "http://http://context.blah.com/context/remainder");
|
||||
|
||||
assertEquals("remainder", response.getRedirectedUrl());
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user