-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ronald,
On 3/31/2011 8:21 PM, Christopher Schultz wrote: > On 3/31/2011 7:05 AM, Ronald Klop wrote: >> I would say that some proper input validation solves your problem. >> Does new URL(redirectURL).toString() give an exception on invalid url's? > > new URL(String) will throw a MalformedURLException if there are illegal > characters in the URL. > > I suppose that's good enough for my purposes: the only returnURLs that > should be generated should be coming from our own application, and if > they are broken, it's a bug. If a MalformedURLException is thrown, it > should be due to some sort of malicious use and the user is better off > getting a nasty error than just about anything else. Apparently, it's more complicated than that... at least when it comes to my particular application... we want to keep the URLs as short as possible, they they are not fully-qualified in most cases. Instead, they are webapp-relative and blindly passing them into the java.net.URL constructor fails even for "real" URLs because they have no protocol. Now, I could add code to fully-qualify them, but then I'd be doing work I'm already asking the container to do for me (since HttpServletResponse.sendRedirect is required to fully-qualify the URL anyway) and I'd prefer to rely on the container for that task -- it's likely to do a better job, anyway :) I think I'm doing to standardize on simply scanning for troublesome characters like \r and \n and throwing a MalformedURLException or something like that. If anyone else has any good ideas or Warnings about what might be a naive sanitization check, I'd be glad to hear them. Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2V5gsACgkQ9CaO5/Lv0PBgfwCeOrioFeSvp8iUJ51a9qJqAny3 8QkAn0c12aRinn7eoGUoAgA2uYydVQA/ =bwLF -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org