Merge branch '7.0.x'

jzheaux · jzheaux · commit 0606ff152b0b · 2026-03-25T15:20:07.000-06:00
diff --git a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandler.java
@@ -113,9 +113,14 @@ protected String determineTargetUrl(HttpServletRequest request, HttpServletRespo
 			trace("Using url %s from request parameter %s", targetUrlParameterValue, this.targetUrlParameter);
 			return targetUrlParameterValue;
 		}
+
+		String refererHeader = request.getHeader("Referer");
+		if (!StringUtils.hasText(refererHeader)) {
+			return this.defaultTargetUrl;
+		}
 		if (this.useReferer) {
-			trace("Using url %s from Referer header", request.getHeader("Referer"));
-			return request.getHeader("Referer");
+			trace("Using url %s from Referer header", refererHeader);
+			return refererHeader;
 		}
 		return this.defaultTargetUrl;
 	}
diff --git a/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationTargetUrlRequestHandlerTests.java
@@ -114,4 +114,12 @@ void setRedirectStrategyWhenGivenNullThenThrowsException() {
 		assertThatIllegalArgumentException().isThrownBy(() -> this.handler.setRedirectStrategy(null));
 	}
 
+	// gh-18805
+	@Test
+	void returnDefaultUrlIfUseRefererIsTrueAndRefererHeaderIsEmpty() {
+		this.handler.setUseReferer(true);
+		this.request.addHeader("Referer", "");
+		assertThat(this.handler.determineTargetUrl(this.request, this.response)).isEqualTo(DEFAULT_TARGET_URL);
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -113,9 +113,14 @@ protected String determineTargetUrl(HttpServletRequest request, HttpServletRespo`
`113`	`113`	`trace("Using url %s from request parameter %s", targetUrlParameterValue, this.targetUrlParameter);`
`114`	`114`	`return targetUrlParameterValue;`
`115`	`115`	`}`
	`116`	`+`
	`117`	`+ String refererHeader = request.getHeader("Referer");`
	`118`	`+ if (!StringUtils.hasText(refererHeader)) {`
	`119`	`+ return this.defaultTargetUrl;`
	`120`	`+ }`
`116`	`121`	`if (this.useReferer) {`
`117`		`- trace("Using url %s from Referer header", request.getHeader("Referer"));`
`118`		`- return request.getHeader("Referer");`
	`122`	`+ trace("Using url %s from Referer header", refererHeader);`
	`123`	`+ return refererHeader;`
`119`	`124`	`}`
`120`	`125`	`return this.defaultTargetUrl;`
`121`	`126`	`}`
Original file line number	Diff line number	Diff line change
`@@ -114,4 +114,12 @@ void setRedirectStrategyWhenGivenNullThenThrowsException() {`
`114`	`114`	`assertThatIllegalArgumentException().isThrownBy(() -> this.handler.setRedirectStrategy(null));`
`115`	`115`	`}`
`116`	`116`
	`117`	`+ // gh-18805`
	`118`	`+ @Test`
	`119`	`+ void returnDefaultUrlIfUseRefererIsTrueAndRefererHeaderIsEmpty() {`
	`120`	`+ this.handler.setUseReferer(true);`
	`121`	`+ this.request.addHeader("Referer", "");`
	`122`	`+ assertThat(this.handler.determineTargetUrl(this.request, this.response)).isEqualTo(DEFAULT_TARGET_URL);`
	`123`	`+ }`
	`124`	`+`
`117`	`125`	`}`