What steps will reproduce the problem?
1. Use the Unvalidated Redirect/Forward lab solution from the ESAPI SwingSet 1.0 release (https://code.google.com/p/swingset-demo/). The solution URL is https://localhost:8443/SwingSet/main?function=HttpSecurity&solution which forwards to HttpSecuritySolution.jsp.
2. Select the link on the page which attempts to redirect to www.google.com
What is the expected output? What do you see instead?
Uncaught exceptions from the SwingSet JSPs propagate up to the Controller servlet, which catches Exception and then performs a silent redirect to the SwingSet index.jsp.
The default lab solution does not catch any Exceptions thrown by ESAPI.httpUtilities().sendRedirect(), so the secured sample code causes the SwingSet application to load the index page. I added a try/catch block for AccessControlException to disable the redirect and leave the browser on the solution page but found that IOException was being thrown.
What version of the product are you using? On what operating system?
ESAPI 2.0RC10 (built from http://owasp-esapi-java.googlecode.com/svn/tags/releases/2.0_rc10)
Sun Java version 1.5.0_21
Windows XP Professional Version 2002 SP3
Does this issue affect only a specified browser or set of browsers?
The behavior appears to reproduce consistently in IE 7.0.5730.11, Firefox 3.6.12, and Google Chrome 7.0.517.44.
Please provide any additional information below.
The Javadoc for interface HttpUtilities does not describe the conditions under which various Exceptions are thrown. Presumably, the inclusion of java.lang.IOException is to accomodate errors thrown by HttpServletResponse.sendRedirect() (which declares throws IOException).
However, the reference implementation of DefaultHttpUtilities.sendForward() throws AccessControlException when the target URL does not conform to expected patterns, so this is likely the intended behavior for sendRedirect() as well.