spring-security-web-6.5.5.jar
Describe the bug
Javadoc states :
If the useReferer property is set, the "Referer" HTTP header value will be used, if present.
As a fallback option, the defaultTargetUrl value will be used.
In current implementation if useReferer is true it always returns header value without any fallback as described in javadoc.
in version spring-security-web-5.8.19.jar we had:
`if (this.useReferer && !StringUtils.hasLength(targetUrl)) {
targetUrl = request.getHeader("Referer");
if (this.logger.isTraceEnabled()) {
this.logger.trace(LogMessage.format("Using url %s from Referer header", targetUrl));
}
}
if (!StringUtils.hasText(targetUrl)) {
targetUrl = this.defaultTargetUrl;
if (this.logger.isTraceEnabled()) {
this.logger.trace(LogMessage.format("Using default url %s", targetUrl));
}
}
return targetUrl;`
in spring-security-web-6.5.5.jar we have:
if (this.useReferer) { trace("Using url %s from Referer header", request.getHeader("Referer")); return request.getHeader("Referer"); } return this.defaultTargetUrl
In Spring Security 5.8.x useReferer=true falls back to defaultTargetUrl when Referer header is null or empty.
In 6.5.5 determineTargetUrl returns null if Referer header is missing, causing redirect failures.
To Reproduce
- set useReferer=true
- request.getHeader("Referer") should be set as null
- set defaultTargetUrl="/sampleUrl"
Expected behavior
"/sampleUrl" is returned
Current behavior
null is returned
spring-security-web-6.5.5.jar
Describe the bug
Javadoc states :
If the useReferer property is set, the "Referer" HTTP header value will be used, if present.
As a fallback option, the defaultTargetUrl value will be used.
In current implementation if useReferer is true it always returns header value without any fallback as described in javadoc.
in version spring-security-web-5.8.19.jar we had:
`if (this.useReferer && !StringUtils.hasLength(targetUrl)) {
targetUrl = request.getHeader("Referer");
if (this.logger.isTraceEnabled()) {
this.logger.trace(LogMessage.format("Using url %s from Referer header", targetUrl));
}
}
if (!StringUtils.hasText(targetUrl)) {
targetUrl = this.defaultTargetUrl;
if (this.logger.isTraceEnabled()) {
this.logger.trace(LogMessage.format("Using default url %s", targetUrl));
}
}
return targetUrl;`
in spring-security-web-6.5.5.jar we have:
if (this.useReferer) { trace("Using url %s from Referer header", request.getHeader("Referer")); return request.getHeader("Referer"); } return this.defaultTargetUrlIn Spring Security 5.8.x useReferer=true falls back to defaultTargetUrl when Referer header is null or empty.
In 6.5.5 determineTargetUrl returns null if Referer header is missing, causing redirect failures.
To Reproduce
Expected behavior
"/sampleUrl" is returned
Current behavior
null is returned