Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue #97: Fix for open redirect in logout function #99

Merged
merged 2 commits into from
Nov 11, 2023
Merged

Issue #97: Fix for open redirect in logout function #99

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9893453
Fix for open redirect in logout function
Cyber-Wo0dy Nov 8, 2023
a2ac4bc
modified to PARAM_LOCALURL
Cyber-Wo0dy Nov 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion auth.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -639,10 +639,23 @@ public function logoutpage_hook() {
/**
* Log out user and redirect.
*/
public function validate_url() {
return filter_var($this->config->redirecturl, FILTER_VALIDATE_URL);
}

public function define_redirect() {
global $CFG;

if (!$this->validate_url()) {
return $CFG->wwwroot;
}
return $this->config->redirecturl;
}

public function user_logout_userkey() {
global $CFG, $USER;

$redirect = required_param('return', PARAM_URL);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be easier to change this line to $redirect = required_param('return', PARAM_LOCALURL); ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well observed @dmitriim! Because in this suggestion I thought about the option of preserving the redirection to an external address, according to the url registered in "Logout redirection URL". In this case, I have a question: if we define it as PARAM_LOCALURL the redirection will only be possible to addresses related to the Moodle installation, right?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we define it as PARAM_LOCALURL the redirection will only be possible to addresses related to the Moodle installation, right?

Yes, that's correct.

In your patch you're using $this->config->redirecturl which potentially confused you. This config is set in Moodle and used to always redirect a user after logging out from Moodle. E.g. redirecting to IDP logout page so a user is logged out from all apps at once.

However, in context of this issue $redirect is coning from outside of Moodle. E.g. when an external app requires users to logout from Moodle and then come back to the app for some other actions.

Hope that makes more sense now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it, @dmitriim! Thank you for the clarifications. I will make a new commit with your suggestion.

$redirect = $this->define_redirect();

// We redirect when user's session in Moodle already has expired
// or the user is still logged in using "userkey" auth type.
Expand Down