reta commented on code in PR #3241:
URL: https://github.com/apache/cxf/pull/3241#discussion_r3468627425
##########
rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java:
##########
@@ -115,8 +115,37 @@ private MultivaluedMap<String, String>
toRequestState(ContainerRequestContext rc
rc.setEntityStream(new
ByteArrayInputStream(StringUtils.toBytesUTF8(body)));
}
+ // The "state" carried here is read back by the sign-in completion
service and returned
+ // as a redirect Location, so a caller-supplied value collides with
the redirect query
+ // the filter itself writes. Anything that is not within this
application's own origin is
+ // dropped, otherwise completion would become an open redirect.
+ String location = requestState.getFirst("state");
+ if (location != null && !isSameOrigin(location)) {
+ requestState.remove("state");
+ }
return requestState;
}
+ private boolean isSameOrigin(String location) {
+ final URI uri;
+ try {
+ uri = URI.create(location);
+ } catch (IllegalArgumentException ex) {
+ return false;
+ }
+ if (uri.getScheme() == null && uri.getAuthority() == null) {
+ // a path-only reference is resolved by the browser against the
current request
+ return true;
+ }
+ String basePath = (String)mc.get("http.base.path");
Review Comment:
Wondering if we could we use `rc.getUriInfo().getAbsolutePath()` here to
verify `scheme` and `authority` ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
