esapi-java-legacy icon indicating copy to clipboard operation
esapi-java-legacy copied to clipboard

Published 20 hours ago verified publisher icon ESAPI

DefaultHttpUtilities.sendRedirect should throw AccessControlException, not IOException

Open meg23 opened this issue 10 years ago • 2 comments

From [email protected] on December 08, 2010 14:35:44

What steps will reproduce the problem? 1. Use the Unvalidated Redirect/Forward lab solution from the ESAPI SwingSet 1.0 release ( https://code.google.com/p/swingset-demo/ ). The solution URL is https://localhost:8443/SwingSet/main?function=HttpSecurity&solution which forwards to HttpSecuritySolution.jsp.
2. Select the link on the page which attempts to redirect to www.google.com What is the expected output? What do you see instead? Uncaught exceptions from the SwingSet JSPs propagate up to the Controller servlet, which catches Exception and then performs a silent redirect to the SwingSet index.jsp.

The default lab solution does not catch any Exceptions thrown by ESAPI.httpUtilities().sendRedirect(), so the secured sample code causes the SwingSet application to load the index page. I added a try/catch block for AccessControlException to disable the redirect and leave the browser on the solution page but found that IOException was being thrown. What version of the product are you using? On what operating system? ESAPI 2.0RC10 (built from http://owasp-esapi-java.googlecode.com/svn/tags/releases/2.0_rc10 ) Sun Java version 1.5.0_21 Windows XP Professional Version 2002 SP3 Tomcat 5.5.26 Does this issue affect only a specified browser or set of browsers? The behavior appears to reproduce consistently in IE 7.0.5730.11, Firefox 3.6.12, and Google Chrome 7.0.517.44. Please provide any additional information below. The Javadoc for interface HttpUtilities does not describe the conditions under which various Exceptions are thrown. Presumably, the inclusion of java.lang.IOException is to accomodate errors thrown by HttpServletResponse.sendRedirect() (which declares throws IOException).

However, the reference implementation of DefaultHttpUtilities.sendForward() throws AccessControlException when the target URL does not conform to expected patterns, so this is likely the intended behavior for sendRedirect() as well.

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=190

meg23 avatar Nov 13 '14 17:11 meg23

From [email protected] on September 26, 2014 21:29:22

One line fix (line 814 of DefaultHTTPUtilities.java). Test cases and Javadoc may need updated.

Labels: Component-HttpUtilities FirstBug

meg23 avatar Nov 13 '14 17:11 meg23

From [email protected] on October 27, 2014 13:10:51

Pull Request of the fix sent on Github !

meg23 avatar Nov 13 '14 17:11 meg23