#7545 return_to param should be validated for relative URLs

v1.2.0
closed
General
2015-08-20
2014-07-07
No

The login form return_to param should only accept relative urls, and not external urls. An easy check is that '//' is not in the return_to URL (it matches protocol-less urls too).

This will prevent phishing sites from taking advantage the login flow to present a malicious page.

Discussion

  • Dave Brondsema

    Dave Brondsema - 2014-07-11
    • Size: --> 1
     
  • Cory Johns

    Cory Johns - 2014-07-14
    • status: open --> in-progress
    • assigned_to: Cory Johns
     
  • Cory Johns

    Cory Johns - 2014-07-14

    allura:cj/7545

    I went with a slightly more complex approach, to allow for, e.g., http://sourceforge.net/foo return_to URLs to work.

     
  • Cory Johns

    Cory Johns - 2014-07-14
    • status: in-progress --> code-review
     
  • Dave Brondsema

    Dave Brondsema - 2014-07-16
    • status: code-review --> closed
    • private: Yes --> No
    • QA: Dave Brondsema
     
  • Dave Brondsema

    Dave Brondsema - 2015-01-05
    • Milestone: unreleased --> asf_release_1.2.0
     

Log in to post a comment.