My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 190: DefaultHttpUtilities.sendRedirect should throw AccessControlException, not IOException
1 person starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----


Sign in to add a comment
 
Reported by kevin.c...@scynexis.com, Dec 8, 2010
What steps will reproduce the problem?
1. Use the Unvalidated Redirect/Forward lab solution from the ESAPI SwingSet 1.0 release (https://code.google.com/p/swingset-demo/).  The solution URL is https://localhost:8443/SwingSet/main?function=HttpSecurity&solution which forwards to HttpSecuritySolution.jsp.  
2. Select the link on the page which attempts to redirect to www.google.com

What is the expected output? What do you see instead?
Uncaught exceptions from the SwingSet JSPs propagate up to the Controller servlet, which catches Exception and then performs a silent redirect to the SwingSet index.jsp.

The default lab solution does not catch any Exceptions thrown by ESAPI.httpUtilities().sendRedirect(), so the secured sample code causes the SwingSet application to load the index page.  I added a try/catch block for AccessControlException to disable the redirect and leave the browser on the solution page but found that IOException was being thrown. 

What version of the product are you using? On what operating system?
ESAPI 2.0RC10 (built from http://owasp-esapi-java.googlecode.com/svn/tags/releases/2.0_rc10)
Sun Java version 1.5.0_21
Windows XP Professional Version 2002 SP3
Tomcat 5.5.26

Does this issue affect only a specified browser or set of browsers?
The behavior appears to reproduce consistently in IE 7.0.5730.11, Firefox 3.6.12, and Google Chrome 7.0.517.44.

Please provide any additional information below.
The Javadoc for interface HttpUtilities does not describe the conditions under which various Exceptions are thrown.  Presumably, the inclusion of java.lang.IOException is to accomodate errors thrown by HttpServletResponse.sendRedirect() (which declares throws IOException).

However, the reference implementation of DefaultHttpUtilities.sendForward() throws AccessControlException when the target URL does not conform to expected patterns, so this is likely the intended behavior for sendRedirect() as well.

Sign in to add a comment

Powered by Google Project Hosting