SEC-1790: Reject redirect locations containing CR or LF.

This commit is contained in:
Luke Taylor
2011-07-27 16:24:30 +01:00
parent 6333909107
commit 824464516c
3 changed files with 67 additions and 1 deletions

View File

@@ -0,0 +1,39 @@
package org.springframework.security.web.firewall;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail;
import org.junit.*;
import org.springframework.mock.web.MockHttpServletResponse;
/**
* @author Luke Taylor
*/
public class FirewalledResponseTests {
@Test
public void rejectsRedirectLocationContaingCRLF() throws Exception {
MockHttpServletResponse response = new MockHttpServletResponse();
FirewalledResponse fwResponse = new FirewalledResponse(response);
fwResponse.sendRedirect("/theURL");
assertEquals("/theURL", response.getRedirectedUrl());
try {
fwResponse.sendRedirect("/theURL\r\nsomething");
fail();
} catch (IllegalArgumentException expected) {
}
try {
fwResponse.sendRedirect("/theURL\rsomething");
fail();
} catch (IllegalArgumentException expected) {
}
try {
fwResponse.sendRedirect("/theURL\nsomething");
fail();
} catch (IllegalArgumentException expected) {
}
}
}