SEC-1790: Reject redirect locations containing CR or LF.

15 years ago · f5fbda42e5
4 changed files with 71 additions and 46 deletions
--- a/.gitignore
+++ b/.gitignore
@ -6,6 +6,7 @@ out/
				@@ -6,6 +6,7 @@ out/
 *.ipr
 *.iml
 *.iws
+*.log
 intellij/
 .settings
 .classpath
--- a/core/src/main/java/org/springframework/security/firewall/DefaultHttpFirewall.java
+++ b/core/src/main/java/org/springframework/security/firewall/DefaultHttpFirewall.java
@ -33,7 +33,7 @@ public class DefaultHttpFirewall implements HttpFirewall {
				@@ -33,7 +33,7 @@ public class DefaultHttpFirewall implements HttpFirewall {
    }

    public HttpServletResponse getFirewalledResponse(HttpServletResponse response) {
-        return response;
+        return new FirewalledResponse(response);
    }

    /**
--- a/core/src/main/java/org/springframework/security/firewall/FirewalledResponse.java
+++ b/core/src/main/java/org/springframework/security/firewall/FirewalledResponse.java
@ -0,0 +1,26 @@
				@@ -0,0 +1,26 @@
+package org.springframework.security.firewall;
+
+import javax.servlet.http.HttpServletResponseWrapper;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.regex.Pattern;
+
+/**
+ * @author Luke Taylor
+ */
+class FirewalledResponse extends HttpServletResponseWrapper {
+    Pattern CR_OR_LF = Pattern.compile("\\r|\\n");
+
+    public FirewalledResponse(HttpServletResponse response) {
+        super(response);
+    }
+
+    public void sendRedirect(String location) throws IOException {
+        // TODO: implement pluggable validation, instead of simple blacklisting.
+        // SEC-1790. Prevent redirects containing CRLF
+        if (CR_OR_LF.matcher(location).find()) {
+            throw new IllegalArgumentException("Invalid characters (CR/LF) in redirect location");
+        }
+        super.sendRedirect(location);
+    }
+}
--- a/core/src/main/java/org/springframework/security/ui/TargetUrlResolverImpl.java
+++ b/core/src/main/java/org/springframework/security/ui/TargetUrlResolverImpl.java
@ -28,7 +28,7 @@ import org.springframework.util.StringUtils;
				@@ -28,7 +28,7 @@ import org.springframework.util.StringUtils;

 /**
 * Default implementation for {@link TargetUrlResolver}
- * <p>
+ * <p/>
 * Returns a target URL based from the contents of the configured <tt>targetUrlParameter</tt> if present on
 * the current request. Failing that, the SavedRequest in the session will be used.
 *
@ -36,7 +36,6 @@ import org.springframework.util.StringUtils;
				@@ -36,7 +36,6 @@ import org.springframework.util.StringUtils;
 * @author Luke Taylor
 * @version $Id$
 * @since 2.0
- *
 */
 public class TargetUrlResolverImpl implements TargetUrlResolver {
    public static String DEFAULT_TARGET_PARAMETER = "spring-security-redirect";
@ -94,7 +93,6 @@ public class TargetUrlResolverImpl implements TargetUrlResolver {
				@@ -94,7 +93,6 @@ public class TargetUrlResolverImpl implements TargetUrlResolver {
        this.justUseSavedRequestOnGet = justUseSavedRequestOnGet;
    }

-    
    /**
     * Before checking the SavedRequest, the current request will be checked for this parameter
     * and the value used as the target URL if resent.
@ -103,7 +101,7 @@ public class TargetUrlResolverImpl implements TargetUrlResolver {
				@@ -103,7 +101,7 @@ public class TargetUrlResolverImpl implements TargetUrlResolver {
     *                           to "redirect".
     */
    public void setTargetUrlParameter(String targetUrlParameter) {
-	    Assert.hasText("targetUrlParamete canot be null or empty");
+        Assert.hasText("targetUrlParameter cannot be null or empty");
        this.targetUrlParameter = targetUrlParameter;
    }
 }