demba90 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

DefaultHttpUtilities.sendRedirect should throw AccessControlException, not IOException #190

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Use the Unvalidated Redirect/Forward lab solution from the ESAPI SwingSet 
1.0 release (http://code.google.com/p/swingset-demo/).  The solution URL is 
https://localhost:8443/SwingSet/main?function=HttpSecurity&solution which 
forwards to HttpSecuritySolution.jsp.  
2. Select the link on the page which attempts to redirect to www.google.com

What is the expected output? What do you see instead?
Uncaught exceptions from the SwingSet JSPs propagate up to the Controller 
servlet, which catches Exception and then performs a silent redirect to the 
SwingSet index.jsp.

The default lab solution does not catch any Exceptions thrown by 
ESAPI.httpUtilities().sendRedirect(), so the secured sample code causes the 
SwingSet application to load the index page.  I added a try/catch block for 
AccessControlException to disable the redirect and leave the browser on the 
solution page but found that IOException was being thrown. 

What version of the product are you using? On what operating system?
ESAPI 2.0RC10 (built from 
http://owasp-esapi-java.googlecode.com/svn/tags/releases/2.0_rc10)
Sun Java version 1.5.0_21
Windows XP Professional Version 2002 SP3
Tomcat 5.5.26

Does this issue affect only a specified browser or set of browsers?
The behavior appears to reproduce consistently in IE 7.0.5730.11, Firefox 
3.6.12, and Google Chrome 7.0.517.44.

Please provide any additional information below.
The Javadoc for interface HttpUtilities does not describe the conditions under 
which various Exceptions are thrown.  Presumably, the inclusion of 
java.lang.IOException is to accomodate errors thrown by 
HttpServletResponse.sendRedirect() (which declares throws IOException).

However, the reference implementation of DefaultHttpUtilities.sendForward() 
throws AccessControlException when the target URL does not conform to expected 
patterns, so this is likely the intended behavior for sendRedirect() as well.

Original issue reported on code.google.com by kevin.c...@scynexis.com on 8 Dec 2010 at 7:35

GoogleCodeExporter commented 8 years ago
One line fix (line 814 of DefaultHTTPUtilities.java).
Test cases and Javadoc may need updated.

Original comment by kevin.w.wall@gmail.com on 27 Sep 2014 at 4:29

GoogleCodeExporter commented 8 years ago
Pull Request of the fix sent on Github !

Original comment by karansan...@gmail.com on 27 Oct 2014 at 8:10