You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What steps will reproduce the problem? 1. Have a simple code that does an isValidRedirectLocation check What is the expected output? What do you see instead? The test will almost always fail, simply because the built-in Redirect pattern is defined as:
Validator.Redirect=^/test.*$
Could this be enhanced, so instead a real regexp is used? What version of the product are you using? On what operating system? Does not matter Does this issue affect only a specified browser or set of browsers? No Please provide any additional information below. Since the SecurityWrapperResponse is using the Redirect matching rule as well, probably that fails 99% of the cases as well.
Is using "URL" instead of "Redirect" a valid workaround?
That regex is a secure default value, because it is doubtful that Validator.Redirect should ever direct to a "test" URL in a production environment. That property in particular, needs to be configured uniquely for your application. If it were me, I might even make that default regex one that wouldn't compile.
From majorpe...@gmail.com on October 26, 2012 06:22:49
What steps will reproduce the problem? 1. Have a simple code that does an isValidRedirectLocation check What is the expected output? What do you see instead? The test will almost always fail, simply because the built-in Redirect pattern is defined as:
Validator.Redirect=^/test.*$
Could this be enhanced, so instead a real regexp is used? What version of the product are you using? On what operating system? Does not matter Does this issue affect only a specified browser or set of browsers? No Please provide any additional information below. Since the SecurityWrapperResponse is using the Redirect matching rule as well, probably that fails 99% of the cases as well.
Is using "URL" instead of "Redirect" a valid workaround?
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=289
The text was updated successfully, but these errors were encountered: