fix bug in servletMOA-ID-3.2.0

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2016-11-18 13:03:32 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2016-11-18 13:04:56 +0100
commit: 0f4c4e1e8c897d06a4ba4aeea9657e4036ead50d (patch)
tree: ba76ae3075be8df2c88a4dbffe56b9527fe76646 /id/server/idserverlib/src/main
parent: d9d3e9ea53d93c52e1540de519b9f06a39d6b8fd (diff)
download: moa-id-spss-0f4c4e1e8c897d06a4ba4aeea9657e4036ead50d.tar.gz
moa-id-spss-0f4c4e1e8c897d06a4ba4aeea9657e4036ead50d.tar.bz2
moa-id-spss-0f4c4e1e8c897d06a4ba4aeea9657e4036ead50d.zip
1 files changed, 8 insertions, 5 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
index 3eaede028..1848fa6f7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
@@ -27,6 +27,7 @@ import java.io.IOException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -70,10 +71,13 @@ public class RedirectServlet {
 		IOAAuthParameters oa = null;
 		String redirectTarget = DEFAULT_REDIRECTTARGET;
 		try {
+			//validate URL
+			new java.net.URL(url);
+			
 			oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(url);
 			String authURL = HTTPUtils.extractAuthURLFromRequest(req);
 			
-			if (oa == null && !AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().contains(authURL)) {		
+			if (oa == null || !AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().contains(authURL)) {		
 				resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid");
 				return;
 				
@@ -90,7 +94,7 @@ public class RedirectServlet {
 					}
 				
 					Logger.info("Redirect to " + url);
-					
+										
 					if (MiscUtil.isNotEmpty(target)) {
 //						redirectURL = addURLParameter(redirectURL, PARAM_TARGET,
 //								URLEncoder.encode(session.getTarget(), "UTF-8"));
@@ -108,7 +112,7 @@ public class RedirectServlet {
 							authURL, 
 							DefaultGUIFormBuilderConfiguration.VIEW_REDIRECT, 
 							null);
-					config.putCustomParameter(URL, url);
+					config.putCustomParameter(URL, StringEscapeUtils.escapeHtml(url));
 					config.putCustomParameter(TARGET, redirectTarget);
 					guiBuilder.build(resp, config, "RedirectForm.html");
 									
@@ -123,14 +127,13 @@ public class RedirectServlet {
 					resp.setStatus(HttpServletResponse.SC_FOUND);
 					resp.addHeader("Location", url);
 					
-					
 				} else {					
 					Logger.debug("Redirect to " + url);					
 					DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration(
 							authURL, 
 							DefaultGUIFormBuilderConfiguration.VIEW_REDIRECT, 
 							null);
-					config.putCustomParameter(URL, url);
+					config.putCustomParameter(URL, StringEscapeUtils.escapeHtml(url));
 					guiBuilder.build(resp, config, "RedirectForm.html");
 						
 				}
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2016-11-18 13:03:32 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2016-11-18 13:04:56 +0100
commit	0f4c4e1e8c897d06a4ba4aeea9657e4036ead50d (patch)
tree	ba76ae3075be8df2c88a4dbffe56b9527fe76646 /id/server/idserverlib/src/main
parent	d9d3e9ea53d93c52e1540de519b9f06a39d6b8fd (diff)
download	moa-id-spss-0f4c4e1e8c897d06a4ba4aeea9657e4036ead50d.tar.gz moa-id-spss-0f4c4e1e8c897d06a4ba4aeea9657e4036ead50d.tar.bz2 moa-id-spss-0f4c4e1e8c897d06a4ba4aeea9657e4036ead50d.zip