Apache Allura™ / Tickets / #7545 return_to param should be validated for relative URLs

#7545 return_to param should be validated for relative URLs

Milestone: v1.2.0

Status: closed

Owner: Cory Johns

Labels: security (34) sf-1 (616)

Component: General

Reviewer: Dave Brondsema

Updated: 2015-08-20

Created: 2014-07-07

Creator: Dave Brondsema

Private: No

The login form return_to param should only accept relative urls, and not external urls. An easy check is that '//' is not in the return_to URL (it matches protocol-less urls too).

This will prevent phishing sites from taking advantage the login flow to present a malicious page.

Discussion

Dave Brondsema - 2014-07-11

Size: --> 1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Cory Johns - 2014-07-14

status: open --> in-progress

assigned_to: Cory Johns
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Cory Johns - 2014-07-14

allura:cj/7545

I went with a slightly more complex approach, to allow for, e.g., http://sourceforge.net/foo return_to URLs to work.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Cory Johns - 2014-07-14

status: in-progress --> code-review
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2014-07-16

status: code-review --> closed

private: Yes --> No

QA: Dave Brondsema
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2015-01-05

Milestone: unreleased --> asf_release_1.2.0
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Apache Allura™

Forge software for hosting software projects

Milestone

Searches

Help

#7545 return_to param should be validated for relative URLs

Discussion