Mercurial > hg > LightPIT / file diff

diff: src/main/kotlin/de/uapcore/lightpit/AbstractServlet.kt

src/main/kotlin/de/uapcore/lightpit/AbstractServlet.kt

changeset 392
c0c7b4ca2946
parent 374
34abadbdd0e3
--- a/src/main/kotlin/de/uapcore/lightpit/AbstractServlet.kt	Mon Sep 22 20:00:59 2025 +0200
+++ b/src/main/kotlin/de/uapcore/lightpit/AbstractServlet.kt	Sat Oct 04 13:34:33 2025 +0200
@@ -138,8 +138,19 @@
         // set some internal request attributes
         val fullPath = req.servletPath + Optional.ofNullable(req.pathInfo).orElse("")
         req.setAttribute(Constants.REQ_ATTR_PATH, fullPath)
-        req.getHeader("Referer")?.let {
-            // TODO: add a sanity check to avoid link injection
+        req.getHeader("Referer")?.let { referer ->
+            val portInfo =
+                if ((req.scheme == "http" && req.serverPort == 80)
+                    || (req.scheme == "https" && req.serverPort == 443)
+                ) "" else ":${req.serverPort}"
+            val baseHrefOptionalPort = "${req.scheme}://${req.serverName}$portInfo${req.contextPath}/"
+            val baseHrefWithPort = "${req.scheme}://${req.serverName}${req.serverPort}${req.contextPath}/"
+            if (referer.startsWith(baseHrefOptionalPort) || referer.startsWith(baseHrefWithPort)) {
+                referer
+            } else {
+                null
+            }
+        }?.let {
             req.setAttribute(Constants.REQ_ATTR_REFERER, it)
         }

Mercurial Repository: LightPIT

mercurial