DefaultRedirectStrategy should redirect to root if the context-relative URL does not contain the context-path.

mpalourdio · eleftherias · commit d26f40f0621e · 2019-10-23T09:41:00.000-04:00
diff --git a/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java b/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java
@@ -73,6 +73,10 @@ protected String calculateRedirectUrl(String contextPath, String url) {
 			return url;
 		}
 
+		if (!url.contains(contextPath)) {
+			return "";
+		}
+
 		// Calculate the relative URL from the fully qualified URL, minus the last
 		// occurrence of the scheme and base context.
 		url = url.substring(url.lastIndexOf("://") + 3); // strip off scheme
diff --git a/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java b/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java
@@ -56,4 +56,19 @@ public void contextRelativeUrlWithMultipleSchemesInHostnameIsHandledCorrectly()
 
 		assertThat(response.getRedirectedUrl()).isEqualTo("remainder");
 	}
+
+	@Test
+	public void contextRelativeShouldRedirectToRootIfURLDoesNotContainContextPath()
+		throws Exception {
+		DefaultRedirectStrategy rds = new DefaultRedirectStrategy();
+		rds.setContextRelative(true);
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setContextPath("/context");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		rds.sendRedirect(request, response,
+			"https://redirectme.somewhere.else");
+
+		assertThat(response.getRedirectedUrl()).isEqualTo("");
+	}
 }
