Return-Path: 
 <commits-return-14670-apmail-sling-commits-archive=sling.apache.org@sling.apache.org>
X-Original-To: apmail-sling-commits-archive@www.apache.org
Delivered-To: apmail-sling-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 9DA9CF083
	for <apmail-sling-commits-archive@www.apache.org>;
 Tue,  1 Oct 2013 12:08:33 +0000 (UTC)
Received: (qmail 11380 invoked by uid 500); 1 Oct 2013 12:08:31 -0000
Delivered-To: apmail-sling-commits-archive@sling.apache.org
Received: (qmail 11339 invoked by uid 500); 1 Oct 2013 12:08:29 -0000
Mailing-List: contact commits-help@sling.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@sling.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@sling.apache.org>
List-Post: <mailto:commits@sling.apache.org>
List-Id: <commits.sling.apache.org>
Reply-To: dev@sling.apache.org
Delivered-To: mailing list commits@sling.apache.org
Received: (qmail 11331 invoked by uid 99); 1 Oct 2013 12:08:26 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 Oct 2013 12:08:26 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 01 Oct 2013 12:08:25 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
	by eris.apache.org (Postfix) with ESMTP id 7FF3C2388860;
	Tue,  1 Oct 2013 12:08:05 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1528062 -
 /sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java
Date: Tue, 01 Oct 2013 12:08:05 -0000
To: commits@sling.apache.org
From: cziegeler@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20131001120805.7FF3C2388860@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: cziegeler
Date: Tue Oct  1 12:08:05 2013
New Revision: 1528062

URL: http://svn.apache.org/r1528062
Log:
SLING-3141 : AbstractAuthenticationFormServlet should make sure resource is a valid redirect

Modified:
    sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java

Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java?rev=1528062&r1=1528061&r2=1528062&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java Tue Oct  1 12:08:05 2013
@@ -130,15 +130,49 @@ public abstract class AbstractAuthentica
             throws IOException {
         String form = getRawForm();
 
-        form = form.replace("${resource}", escapeXml(getResource(request)));
-        form = form.replace("${j_reason}", escapeXml(getReason(request)));
-        form = form.replace("${requestContextPath}", escapeXml(getContextPath(request)));
-        form = form.replace("${contextPath}", escapeXml(request.getContextPath()));
+        final String resource = cleanse(request, getResource(request));
+        final String reason = getReason(request);
+        final String resourceContextPath = cleanse(request, getContextPath(request));
+        final String contextPath = request.getContextPath();
+
+        // replace form placeholders with checked and filtered values
+        form = form.replace("${resource}", escape(resource));
+        form = form.replace("${j_reason}", escape(reason));
+        form = form.replace("${requestContextPath}", escape(resourceContextPath));
+        form = form.replace("${contextPath}", escape(contextPath));
 
         return form;
     }
 
-    private static String escapeXml(final String input) {
+    /**
+     * Makes sure the given {@code target} is not pointing to some absolute
+     * location outside of the given {@code request} context. If so, the target
+     * must be ignored and an empty string is returned.
+     * <p>
+     * This method uses the
+     * {@link AuthUtil#isRedirectValid(HttpServletRequest, String)} method.
+     *
+     * @param request The {@code HttpServletRequest} to test the {@code target}
+     *            against.
+     * @param target The target location (URL) to test for validity.
+     * @return The target location if not pointing outside of the current
+     *         request or an empty string.
+     */
+    private static String cleanse(final HttpServletRequest request, final String target) {
+        if (target.length() > 0 && !AuthUtil.isRedirectValid(request, target)) {
+            return "";
+        }
+        return target;
+    }
+
+    /**
+     * Escape the output.
+     * This method does a simple XML escaping for '<', '>' and '&'
+     * and also escapes single and double quotes.
+     * As these characters should never occur in a url this encoding should
+     * be fine.
+     */
+    private static String escape(final String input) {
         if (input == null) {
             return null;
         }
@@ -148,10 +182,14 @@ public abstract class AbstractAuthentica
             final char c = input.charAt(i);
             if(c == '&') {
                 b.append("&amp;");
-            } else if(c == '<') {
+            } else if (c == '<') {
                 b.append("&lt;");
-            } else if(c == '>') {
+            } else if (c == '>') {
                 b.append("&gt;");
+            } else if (c == '"') {
+                b.append("%22");
+            } else if (c == '\'') {
+                b.append("%27");
             } else {
                 b.append(c);
             }