Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit redirecting only to local or whitelisted domains #97

Open
dmitriim opened this issue Oct 31, 2023 · 3 comments
Open

Limit redirecting only to local or whitelisted domains #97

dmitriim opened this issue Oct 31, 2023 · 3 comments
Labels
enhancement

Comments

@dmitriim
Copy link
Member

Currently on logout you can redirect to any URL. Would be more secure to redirect only to internal pages and whitelisted pages. I guess we need a new setting for that.
@brendanheywood
Copy link
Contributor

I would treat the open redirect as a bug and fix that, and treat the whitelist as a bonus points new feature - yes it worked in the past but its an undocumented bug rather than an explicit feature

@dmitriim
Copy link
Member Author

dmitriim commented Nov 2, 2023

Agree we should fix it brutally by limiting to local URLs only and leave this one open as an enhancement for those who may be suffering.

@dmitriim dmitriim added the bug label Nov 2, 2023
@Cyber-Wo0dy Cyber-Wo0dy mentioned this issue Nov 8, 2023
Merged
dmitriim pushed a commit that referenced this issue Nov 11, 2023
@Cyber-Wo0dy
Issue #97: Fix for open redirect in logout function (#99)
cd71596 
* Fix for open redirect in logout function

* modified to PARAM_LOCALURL
@dmitriim dmitriim removed the bug label Nov 13, 2023
@dmitriim
Copy link
Member Author

After landing #99 we are redirecting only to internal pages. Which is not ideal and can potentially break some functionality.

Next step would be introducing a new setting for whitelisting domains for redirecting.

@wo14580 wo14580 mentioned this issue Dec 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brendanheywood @dmitriim