From 40d61743b939cbc4ae5417269b7232270f8fca6c Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Mon, 10 Jul 2023 16:12:05 -0600 Subject: [PATCH] Replace Existing Continue Parameter Closes gh-13438 --- .../security/web/savedrequest/DefaultSavedRequest.java | 7 +++---- .../web/savedrequest/DefaultSavedRequestTests.java | 10 ++++++++++ 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java index e5ccf6cf9d7..620610f6815 100644 --- a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java +++ b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java @@ -38,6 +38,7 @@ import org.springframework.security.web.util.UrlUtils; import org.springframework.util.Assert; import org.springframework.util.ObjectUtils; +import org.springframework.web.util.UriComponentsBuilder; /** * Represents central information from a {@code HttpServletRequest}. @@ -372,10 +373,8 @@ private static String createQueryString(String queryString, String matchingReque if (queryString == null || queryString.length() == 0) { return matchingRequestParameterName; } - if (queryString.endsWith("&")) { - return queryString + matchingRequestParameterName; - } - return queryString + "&" + matchingRequestParameterName; + return UriComponentsBuilder.newInstance().query(queryString).replaceQueryParam(matchingRequestParameterName) + .queryParam(matchingRequestParameterName).build().getQuery(); } /** diff --git a/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java b/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java index 4bec0f12968..f010a6521d8 100644 --- a/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java +++ b/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java @@ -122,4 +122,14 @@ public void getRedirectUrlWhenQueryDoesNotEndAmpersandAndMatchingRequestParamete assertThat(new URL(savedRequest.getRedirectUrl())).hasQuery("foo=bar&success"); } + // gh-13438 + @Test + public void getRedirectUrlWhenQueryAlreadyHasSuccessThenDoesNotAdd() throws Exception { + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setQueryString("foo=bar&success"); + DefaultSavedRequest savedRequest = new DefaultSavedRequest(request, new MockPortResolver(8080, 8443), + "success"); + assertThat(savedRequest.getRedirectUrl()).contains("foo=bar&success"); + } + }