Skip to content

DefaultRedirectStrategy should not calculate relative url if it does not contain the context-path #4142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 23, 2019
Merged

DefaultRedirectStrategy should not calculate relative url if it does not contain the context-path #4142

merged 1 commit into from
Oct 23, 2019

Conversation

mpalourdio
Copy link
Contributor

Hello,

When defining a redirect strategy, after a logout for example, you can force the redirection to be context relative, by setContextRelative(true).

If by mistake (or not), you want the redirect target to be an absolute url completely outside of your context-path (eg: http://www.google.com), this url obviously does not contain your context-path.

This lead to DefaultRedirectStrategy#calculateRedirectUrl silently calculating a completely wrong URL if contextRelative is true

This PR checks is the URL contains the context-path. If not, it early returns the untouched url.

Another possibility would be to throw an IllegalArgumentException if contextRelative is true BUT url is absolute AND does not contain the context-path.

@pivotal-issuemaster
Copy link

@mpalourdio Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@pivotal-issuemaster
Copy link

@mpalourdio Thank you for signing the Contributor License Agreement!

@mpalourdio mpalourdio mentioned this pull request Feb 1, 2017
Open
@rwinch rwinch force-pushed the master branch 2 times, most recently from 0e114c6 to fd244eb Compare June 8, 2017 22:26
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 7, 2019
@eleftherias
Copy link
Contributor

Thanks for the PR @mpalourdio!
I agree that this situation leads to unexpected behaviour, but I don't think returning the full URL is the right solution.
According to the Javadoc of the sendRedirect method: If contextRelative is set, the redirect value will be the value after the request context path.
In the case where the redirect URL does not contain the context path, it may be reasonable to return the empty String ("").
Does that seem like sensible behaviour to you?

@eleftherias eleftherias self-assigned this Oct 15, 2019
@eleftherias eleftherias added status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 15, 2019
@mpalourdio
Copy link
Contributor Author

@eleftherias Thanks for feedback. I haven't really thought about this, it's been a while now :)

But looking at the fact that you would prefer returning an empty string, here is how it would look

if (isContextRelative() && !url.contains(contextPath)) {
     return "";
}

Which would lead to sendRedirect(""); Which is bad too IMO.

As a security library, I finally think that it simply should fail by throwing an exception.
Anyway, the decision is yours, and I can adapt the PR if still needed.

Otherwise, feel free to close this issue.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Oct 16, 2019
@eleftherias
Copy link
Contributor

@mpalourdio My concern with throwing an exception in the DefaultRedirectStrategy class is that the end user will end up on the generic browser error page with a 500 status code, and they won't know how to proceed.
For example an IllegalArgumentException won't be handled anywhere down the line and will result in a 500 status code.

My thought with returning "" is that users will still remain within the application (since they will be redirected to the base context), rather than being redirected to an external URL that the application did not intend.

Let me know if you think there is a better approach, or an exception that is better suited than IllegalArgumentException.

@mpalourdio
Copy link
Contributor Author

@eleftherias I have updated the PR so that it redirects to "" when needed.

@eleftherias
Copy link
Contributor

eleftherias commented Oct 22, 2019
edited
Loading

@mpalourdio Thank you for the quick turnaround. One last request is to change the URL in the test from "http://redirectme.somewhere.else" to "https://redirectme.somewhere.else". We avoid using "http://" in our code and use the nohttp library to find occurrences. You can read more about it here https://github.com/spring-io/nohttp.

@mpalourdio
Copy link
Contributor Author

@eleftherias done :)

@eleftherias eleftherias merged commit d26f40f into spring-projects:master Oct 23, 2019
@eleftherias
Copy link
Contributor

Thanks for all your work @mpalourdio! This is now merged into master.

@mpalourdio mpalourdio deleted the contextrelative branch October 29, 2019 20:16
@eleftherias eleftherias added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement and removed status: feedback-provided Feedback has been provided labels Dec 17, 2019
@yoshikawaa yoshikawaa mentioned this pull request Apr 16, 2020
Merged
@btyanagawamg btyanagawamg mentioned this pull request Apr 22, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@eleftherias eleftherias

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mpalourdio @pivotal-issuemaster @eleftherias @spring-projects-issues