From 32098f820dedcc39bcd018f07e6e9a1e67448260 Mon Sep 17 00:00:00 2001
From: Michel Palourdio <mpalourdio@gmail.com>
Date: Sat, 26 Nov 2016 13:08:34 +0100
Subject: [PATCH] DefaultRedirectStrategy should redirect to root if the
 context-relative URL does not contain the context-path.

---
 .../security/web/DefaultRedirectStrategy.java     |  4 ++++
 .../web/DefaultRedirectStrategyTests.java         | 15 +++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java b/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java
index 6537723fcc0..5d22355b0ad 100644
--- a/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java
+++ b/web/src/main/java/org/springframework/security/web/DefaultRedirectStrategy.java
@@ -73,6 +73,10 @@ protected String calculateRedirectUrl(String contextPath, String url) {
 			return url;
 		}
 
+		if (!url.contains(contextPath)) {
+			return "";
+		}
+
 		// Calculate the relative URL from the fully qualified URL, minus the last
 		// occurrence of the scheme and base context.
 		url = url.substring(url.lastIndexOf("://") + 3); // strip off scheme
diff --git a/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java b/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java
index a32e509ffe2..94cb30b03d0 100644
--- a/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java
+++ b/web/src/test/java/org/springframework/security/web/DefaultRedirectStrategyTests.java
@@ -56,4 +56,19 @@ public void contextRelativeUrlWithMultipleSchemesInHostnameIsHandledCorrectly()
 
 		assertThat(response.getRedirectedUrl()).isEqualTo("remainder");
 	}
+
+	@Test
+	public void contextRelativeShouldRedirectToRootIfURLDoesNotContainContextPath()
+		throws Exception {
+		DefaultRedirectStrategy rds = new DefaultRedirectStrategy();
+		rds.setContextRelative(true);
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setContextPath("/context");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		rds.sendRedirect(request, response,
+			"https://redirectme.somewhere.else");
+
+		assertThat(response.getRedirectedUrl()).isEqualTo("");
+	}
 }