Details
diff --git a/core/src/main/java/org/keycloak/util/UriUtils.java b/core/src/main/java/org/keycloak/util/UriUtils.java
index 873283f..8532c5b 100644
--- a/core/src/main/java/org/keycloak/util/UriUtils.java
+++ b/core/src/main/java/org/keycloak/util/UriUtils.java
@@ -1,12 +1,15 @@
package org.keycloak.util;
import java.net.URI;
+import java.util.regex.Pattern;
/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
*/
public class UriUtils {
+ private static final Pattern originPattern = Pattern.compile("(http://|https://)[\\w]+(\\.[\\w]+)*(:[\\d]{2,5})?");
+
public static String getOrigin(URI uri) {
return getOrigin(uri.toString());
}
@@ -16,4 +19,8 @@ public class UriUtils {
return u.substring(0, u.indexOf('/', 8));
}
+ public static boolean isOrigin(String url) {
+ return originPattern.matcher(url).matches();
+ }
+
}
diff --git a/core/src/test/java/org/keycloak/util/UriUtilsTest.java b/core/src/test/java/org/keycloak/util/UriUtilsTest.java
new file mode 100644
index 0000000..52d484d
--- /dev/null
+++ b/core/src/test/java/org/keycloak/util/UriUtilsTest.java
@@ -0,0 +1,44 @@
+package org.keycloak.util;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public class UriUtilsTest {
+
+ @Test
+ public void testOrigins() {
+ assertValid("http://test");
+ assertValid("http://test:8080");
+ assertValid("https://test");
+ assertValid("http://test.com");
+ assertValid("https://test.com");
+ assertValid("https://test.com:8080");
+ assertValid("http://sub.test.com");
+ assertValid("https://sub.test.com");
+ assertValid("https://sub.test.com:8080");
+ assertValid("http://192.168.123.123");
+ assertValid("https://192.168.123.123");
+ assertValid("https://192.168.123.123:8080");
+
+ assertInvalid("https://test/");
+ assertInvalid("{");
+ assertInvalid("https://{}");
+ assertInvalid("https://)");
+ assertInvalid("http://test:test");
+ assertInvalid("http://test:8080:8080");
+ }
+
+ public void assertValid(String origin) {
+ assertTrue(UriUtils.isOrigin(origin));
+ }
+
+ public void assertInvalid(String origin) {
+ assertFalse(UriUtils.isOrigin(origin));
+ }
+
+}
diff --git a/services/src/main/java/org/keycloak/services/resources/RealmsResource.java b/services/src/main/java/org/keycloak/services/resources/RealmsResource.java
index e618c9e..9bb5db3 100755
--- a/services/src/main/java/org/keycloak/services/resources/RealmsResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/RealmsResource.java
@@ -19,6 +19,7 @@ import org.keycloak.services.managers.BruteForceProtector;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.managers.TokenManager;
import org.keycloak.util.StreamUtil;
+import org.keycloak.util.UriUtils;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
@@ -94,6 +95,10 @@ public class RealmsResource {
public Response getLoginStatusIframe(final @PathParam("realm") String name,
@QueryParam("client_id") String client_id,
@QueryParam("origin") String origin) {
+ if (!UriUtils.isOrigin(origin)) {
+ throw new BadRequestException("Invalid origin");
+ }
+
AuthenticationManager auth = new AuthenticationManager();
RealmManager realmManager = new RealmManager(session);
