aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java13
1 files changed, 8 insertions, 5 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
index 3eaede028..1848fa6f7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
@@ -27,6 +27,7 @@ import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang.StringEscapeUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@@ -70,10 +71,13 @@ public class RedirectServlet {
IOAAuthParameters oa = null;
String redirectTarget = DEFAULT_REDIRECTTARGET;
try {
+ //validate URL
+ new java.net.URL(url);
+
oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(url);
String authURL = HTTPUtils.extractAuthURLFromRequest(req);
- if (oa == null && !AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().contains(authURL)) {
+ if (oa == null || !AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().contains(authURL)) {
resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid");
return;
@@ -90,7 +94,7 @@ public class RedirectServlet {
}
Logger.info("Redirect to " + url);
-
+
if (MiscUtil.isNotEmpty(target)) {
// redirectURL = addURLParameter(redirectURL, PARAM_TARGET,
// URLEncoder.encode(session.getTarget(), "UTF-8"));
@@ -108,7 +112,7 @@ public class RedirectServlet {
authURL,
DefaultGUIFormBuilderConfiguration.VIEW_REDIRECT,
null);
- config.putCustomParameter(URL, url);
+ config.putCustomParameter(URL, StringEscapeUtils.escapeHtml(url));
config.putCustomParameter(TARGET, redirectTarget);
guiBuilder.build(resp, config, "RedirectForm.html");
@@ -123,14 +127,13 @@ public class RedirectServlet {
resp.setStatus(HttpServletResponse.SC_FOUND);
resp.addHeader("Location", url);
-
} else {
Logger.debug("Redirect to " + url);
DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration(
authURL,
DefaultGUIFormBuilderConfiguration.VIEW_REDIRECT,
null);
- config.putCustomParameter(URL, url);
+ config.putCustomParameter(URL, StringEscapeUtils.escapeHtml(url));
guiBuilder.build(resp, config, "RedirectForm.html");
}