github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #130 from dBucik/referer 

fix: 🐛 Consider empty referer as external
pull/1580/head
Dominik František Bučík 2022-01-26 14:01:04 +01:00 committed by GitHub
parent 5e1d546471 d4bc19e2d8
commit da277e847a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java
View File

@ -68,9 +68,8 @@ public class SamlInvalidateSessionFilter extends GenericFilterBean {
HttpServletRequest req = (HttpServletRequest) request; HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response; HttpServletResponse res = (HttpServletResponse) response;
if (MATCHER.matches(req)) { if (MATCHER.matches(req)) {
boolean isDeviceCodeFlow = DEVICE_CODE_MATCHER.matches(req) || DEVICE_CODE_ALL_MATCHER.matches(req);
String referer = req.getHeader(REFERER); String referer = req.getHeader(REFERER);
if (!isInternalReferer(referer, !isDeviceCodeFlow)) { if (!isInternalReferer(referer)) {
log.debug("Got external referer, clear session to reauthenticate"); log.debug("Got external referer, clear session to reauthenticate");
contextLogoutHandler.logout(req, res, null); contextLogoutHandler.logout(req, res, null);
} }
@ -78,9 +77,9 @@ public class SamlInvalidateSessionFilter extends GenericFilterBean {
chain.doFilter(req, res); chain.doFilter(req, res);
} }
private boolean isInternalReferer(String referer, boolean emptyRefererAsInternal) { private boolean isInternalReferer(String referer) {
if (!StringUtils.hasText(referer)) { // no referer, consider as internal if (!StringUtils.hasText(referer)) {
return emptyRefererAsInternal; return false;
} }
for (String internal : internalReferrers) { for (String internal : internalReferrers) {
if (referer.startsWith(internal)) { if (referer.startsWith(internal)) {