Classes in this File | Line Coverage | Branch Coverage | Complexity | ||||
PebbleRedirectStrategy |
|
| 3.0;3 |
1 | /* | |
2 | * Copyright (c) 2003-2011, Simon Brown | |
3 | * All rights reserved. | |
4 | * | |
5 | * Redistribution and use in source and binary forms, with or without | |
6 | * modification, are permitted provided that the following conditions are met: | |
7 | * | |
8 | * - Redistributions of source code must retain the above copyright | |
9 | * notice, this list of conditions and the following disclaimer. | |
10 | * | |
11 | * - Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in | |
13 | * the documentation and/or other materials provided with the | |
14 | * distribution. | |
15 | * | |
16 | * - Neither the name of Pebble nor the names of its contributors may | |
17 | * be used to endorse or promote products derived from this software | |
18 | * without specific prior written permission. | |
19 | * | |
20 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
21 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE | |
24 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
25 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | |
26 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | |
27 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | |
28 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
29 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
30 | * POSSIBILITY OF SUCH DAMAGE. | |
31 | */ | |
32 | ||
33 | package net.sourceforge.pebble.security; | |
34 | ||
35 | import org.springframework.security.web.RedirectStrategy; | |
36 | ||
37 | import javax.servlet.http.HttpServletRequest; | |
38 | import javax.servlet.http.HttpServletResponse; | |
39 | import java.io.IOException; | |
40 | import java.net.URI; | |
41 | ||
42 | /** | |
43 | * Redirect strategy that prevents redirection to URLs outside of Pebble. It does this by removing the URI authority | |
44 | * section if it exists. | |
45 | */ | |
46 | 16 | public class PebbleRedirectStrategy implements RedirectStrategy { |
47 | public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException { | |
48 | 16 | response.sendRedirect(response.encodeRedirectURL(sanitiseUrl(request.getContextPath(), url))); |
49 | 16 | } |
50 | ||
51 | public static String sanitiseUrl(String contextPath, String url) { | |
52 | // Need to make sure there is no authority section | |
53 | 20 | URI uri = URI.create(url); |
54 | 20 | if (uri.getRawAuthority() != null) { |
55 | ||
56 | 16 | StringBuilder sb = new StringBuilder(); |
57 | 16 | if (uri.getRawPath() != null) { |
58 | 16 | sb.append(uri.getRawPath()); |
59 | } | |
60 | 16 | if (uri.getRawQuery() != null) { |
61 | 4 | sb.append("?").append(uri.getRawQuery()); |
62 | } | |
63 | 16 | return sb.toString(); |
64 | ||
65 | } else { | |
66 | 4 | return contextPath + url; |
67 | } | |
68 | } | |
69 | } |