SEC-2159: OpenIDAuthenticationFilter.buildReturnToUrl() should call response.encodeUrl() #2385
Labels
in: core
An issue in spring-security-core
type: enhancement
A general enhancement
type: jira
An issue that was migrated from JIRA
Janning Vygen (Migrated from SEC-2159) said:
protected String buildReturnToUrl(HttpServletRequest request)
{
...
return sb.toString();
}
should be
protected String buildReturnToUrl(HttpServletRequest request, HttpServletResponse response)
{
private encodeReturnToUrl = false;
...
if (encodeReturnToUrl) {
return response.encodeRedirectUrl(sb.toString());
}
return sb.toString();
}
This way the usual rules about outbound urls apply. In our case we have an OutboundRewriteRule which rewrites all urls.
For backwards compatibility a property "encodeReturnToUrl" should be added which is false by default
The text was updated successfully, but these errors were encountered: