github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix Spring Autobinding vulnerability 

1. Make authorizationRequest no longer affected by http request parameters due to @ModelAttribute. See http://agrrrdog.blogspot.com/2017/03/autobinding-vulns-and-spring-mvc.html
pull/1551/head
Michael Stepankin 2021-02-12 15:22:12 +00:00 committed by Justin Richer
parent 0d4ef2cb4f
commit 7eba3c12fe
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java
View File

@ -103,9 +103,9 @@ public class OAuthConfirmationController {
@PreAuthorize("hasRole('ROLE_USER')") @PreAuthorize("hasRole('ROLE_USER')")
@RequestMapping("/oauth/confirm_access") @RequestMapping("/oauth/confirm_access")
public String confimAccess(Map<String, Object> model, @ModelAttribute("authorizationRequest") AuthorizationRequest authRequest, public String confirmAccess(Map<String, Object> model, Principal p) {
Principal p) {
AuthorizationRequest authRequest = (AuthorizationRequest) model.get("authorizationRequest");
// Check the "prompt" parameter to see if we need to do special processing // Check the "prompt" parameter to see if we need to do special processing
String prompt = (String)authRequest.getExtensions().get(PROMPT); String prompt = (String)authRequest.getExtensions().get(PROMPT);