dxbjavid commented on code in PR #3241:
URL: https://github.com/apache/cxf/pull/3241#discussion_r3479280936
##########
rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java:
##########
@@ -115,8 +115,37 @@ private MultivaluedMap<String, String>
toRequestState(ContainerRequestContext rc
rc.setEntityStream(new
ByteArrayInputStream(StringUtils.toBytesUTF8(body)));
}
+ // The "state" carried here is read back by the sign-in completion
service and returned
+ // as a redirect Location, so a caller-supplied value collides with
the redirect query
+ // the filter itself writes. Anything that is not within this
application's own origin is
+ // dropped, otherwise completion would become an open redirect.
+ String location = requestState.getFirst("state");
+ if (location != null && !isSameOrigin(location)) {
+ requestState.remove("state");
+ }
return requestState;
}
+ private boolean isSameOrigin(String location) {
+ final URI uri;
+ try {
+ uri = URI.create(location);
+ } catch (IllegalArgumentException ex) {
+ return false;
+ }
+ if (uri.getScheme() == null && uri.getAuthority() == null) {
+ // a path-only reference is resolved by the browser against the
current request
+ return true;
+ }
+ String basePath = (String)mc.get("http.base.path");
Review Comment:
good shout, switched it over. isSameOrigin now takes the request context and
compares the location scheme and authority against
rc.getUriInfo().getAbsolutePath(), so it no longer reaches for http.base.path
off the message context. the filter test mocks getAbsolutePath instead and the
five cases still pass.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
