Prosoft Git

keycloak-uncached

KEYCLOAK-7340

9/5/2018 10:06:05 AM
mposolda

mposolda

Commit: d66c037

Tree: 187b111

Parents: 1a0a7d9

Changes

services/src/main/java/org/keycloak/protocol/oidc/utils/OIDCRedirectUriBuilder.java 8(+6 -2)

testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestApplicationResourceProvider.java 6(+5 -1)

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java 18(+18 -0)

Details

services/src/main/java/org/keycloak/protocol/oidc/utils/OIDCRedirectUriBuilder.java 8(+6 -2) 

diff --git a/services/src/main/java/org/keycloak/protocol/oidc/utils/OIDCRedirectUriBuilder.java b/services/src/main/java/org/keycloak/protocol/oidc/utils/OIDCRedirectUriBuilder.java
index 5121989..3b62fe1 100644
--- a/services/src/main/java/org/keycloak/protocol/oidc/utils/OIDCRedirectUriBuilder.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/utils/OIDCRedirectUriBuilder.java
@@ -18,6 +18,7 @@
 package org.keycloak.protocol.oidc.utils;
 
 import org.keycloak.common.util.Encode;
+import org.keycloak.common.util.HtmlUtils;
 import org.keycloak.common.util.KeycloakUriBuilder;
 
 import javax.ws.rs.core.MediaType;
@@ -148,8 +149,11 @@ public abstract class OIDCRedirectUriBuilder {
             builder.append("    <FORM METHOD=\"POST\" ACTION=\"" + redirectUri.toString() + "\">");
 
             for (Map.Entry<String, String> param : params.entrySet()) {
-                builder.append("  <INPUT TYPE=\"HIDDEN\" NAME=\"").append(param.getKey())
-                        .append("\" VALUE=\"").append(param.getValue()).append("\" />");
+                builder.append("  <INPUT TYPE=\"HIDDEN\" NAME=\"")
+                        .append(param.getKey())
+                        .append("\" VALUE=\"")
+                        .append(HtmlUtils.escapeAttribute(param.getValue()))
+                        .append("\" />");
             }
 
             builder.append("      <NOSCRIPT>");

testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestApplicationResourceProvider.java 6(+5 -1) 

diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestApplicationResourceProvider.java b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestApplicationResourceProvider.java
index 9881088..c88dace 100644
--- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestApplicationResourceProvider.java
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestApplicationResourceProvider.java
@@ -20,6 +20,7 @@ package org.keycloak.testsuite.rest;
 import org.jboss.resteasy.annotations.cache.NoCache;
 import org.jboss.resteasy.spi.HttpRequest;
 import org.jboss.resteasy.spi.ResteasyProviderFactory;
+import org.keycloak.common.util.HtmlUtils;
 import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.models.KeycloakSession;
@@ -135,7 +136,10 @@ public class TestApplicationResourceProvider implements RealmResourceProvider {
         HttpRequest request = ResteasyProviderFactory.getContextData(HttpRequest.class);
         MultivaluedMap<String, String> formParams = request.getDecodedFormParameters();
         for (String paramName : formParams.keySet()) {
-            sb.append(paramName).append(": ").append("<span id=\"").append(paramName).append("\">").append(formParams.getFirst(paramName)).append("</span><br>");
+            sb.append(paramName).append(": ").append("<span id=\"")
+                    .append(paramName).append("\">")
+                    .append(HtmlUtils.escapeAttribute(formParams.getFirst(paramName)))
+                    .append("</span><br>");
         }
         sb.append("<br>");

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java 18(+18 -0) 

diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java
index f588207..e9358a0 100755
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java
@@ -151,4 +151,22 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
         String codeId = events.expectLogin().assertEvent().getDetails().get(Details.CODE_ID);
     }
 
+
+    @Test
+    public void authorizationRequestFormPostResponseModeWithCustomState() throws IOException {
+        oauth.responseMode(OIDCResponseMode.FORM_POST.toString().toLowerCase());
+        oauth.stateParamHardcoded("\"><foo>bar_baz(2)far</foo>");
+        oauth.doLoginGrant("test-user@localhost", "password");
+
+        String sources = driver.getPageSource();
+        System.out.println(sources);
+
+        String code = driver.findElement(By.id("code")).getText();
+        String state = driver.findElement(By.id("state")).getText();
+
+        assertEquals("\"><foo>bar_baz(2)far</foo>", state);
+
+        String codeId = events.expectLogin().assertEvent().getDetails().get(Details.CODE_ID);
+    }
+
 }

Bonobo Git Server (6.3.0.632) © 2015 Jakub Chodounský · Official Page · Github