LUTECE-2206 : Avoid open redirect when modifying a theme

seboo · seboo · commit 11daa05c75ad · 2018-08-07T18:14:58.000+02:00
diff --git a/src/java/fr/paris/lutece/portal/web/style/ThemesJspBean.java b/src/java/fr/paris/lutece/portal/web/style/ThemesJspBean.java
@@ -138,7 +138,8 @@ public String doModifyUserTheme( HttpServletRequest request, HttpServletResponse
         String strTheme = request.getParameter( PARAMETER_THEME );
         String strForwardUrl = request.getParameter( PARAMETER_URL );
 
-        if ( !SecurityUtil.containsCleanParameters( request ) )
+        if ( !SecurityUtil.containsCleanParameters( request ) 
+                || !SecurityUtil.isForwardUrlValid( strForwardUrl, request) )
         {
             return AppPathService.getBaseUrl( request );
         }
diff --git a/src/java/fr/paris/lutece/util/http/SecurityUtil.java b/src/java/fr/paris/lutece/util/http/SecurityUtil.java
@@ -33,6 +33,7 @@
  */
 package fr.paris.lutece.util.http;
 
+import fr.paris.lutece.portal.service.util.AppPathService;
 import fr.paris.lutece.portal.web.LocalVariables;
 import fr.paris.lutece.util.string.StringUtil;
 
@@ -266,6 +267,36 @@ public static String getRealIp( HttpServletRequest request )
 
         return strIPAddress;
     }
+    
+    /**
+     * Validate a forward URL, 
+     * the url should :
+     *      - not be blank (null or empty string or spaces)
+     *      - start with the base URL, or not start with "http" or "//"
+     * 
+     * example with a base url "https://lutece.fr/ :
+     *      - valid : /jsp/site/Portal.jsp , Another.jsp , https://lutece.fr/jsp/site/Portal.jsp
+     *      - invalid : http://anothersite.com , https://anothersite.com , //anothersite.com , file://my.txt , ...
+     * 
+     * @param strForwardUrl
+     * @param request
+     * @return 
+     */
+    public static boolean isForwardUrlValid( String strForwardUrl, HttpServletRequest request ) 
+    {
+
+        if ( StringUtils.isBlank( strForwardUrl) ) return false ;
+        
+        if ( ( strForwardUrl.startsWith("//") || strForwardUrl.contains("://") ) 
+                && !strForwardUrl.startsWith ( AppPathService.getBaseUrl( request ) ) )  {
+            return false;
+        }
+        else
+        {
+            return true;
+        }
+    }
+    
 
     /**
      * Identify user data saved in log files to prevent Log Forging attacks

Original file line number	Diff line number	Diff line change
`@@ -138,7 +138,8 @@ public String doModifyUserTheme( HttpServletRequest request, HttpServletResponse`
`138`	`138`	`String strTheme = request.getParameter( PARAMETER_THEME );`
`139`	`139`	`String strForwardUrl = request.getParameter( PARAMETER_URL );`
`140`	`140`
`141`		`- if ( !SecurityUtil.containsCleanParameters( request ) )`
	`141`	`+ if ( !SecurityUtil.containsCleanParameters( request )`
	`142`	`+ \|\| !SecurityUtil.isForwardUrlValid( strForwardUrl, request) )`
`142`	`143`	`{`
`143`	`144`	`return AppPathService.getBaseUrl( request );`
`144`	`145`	`}`