Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Medium
Fix Version/s: None
Affects Version/s: 0.38.3
Labels:
None

Last commented by user?:
true

Tested in Confluence 3.0.0_01.

I tried adding the allow.any.redirect.url parameter in my local instance and tested redirection with the following:
http://localhost:8080/login.action?os_destination=%2Fdisplay%2Fsand%2FHome

And this setting in seraph-config.xml:

<init-param>
<param-name>allow.any.redirect.url</param-name>
<param-value>true</param-value>
</init-param>

The code involved is:

public boolean allowedRedirectDestination(final String redirectUrl, final HttpServletRequest request)
    {
        // Test for total trust
        if (allowAnyUrl)
        {
            return true;
        }
        // Otherwise we use default behaviour: allow valid redirects to the same context.
        URI uri;
        try
        {
            // Attempt to parse the URI
            uri = new URI(redirectUrl);
        }
        catch (URISyntaxException e)
        {
            // Invalid URI - not allowed. This stops possible header injection attacks (see SER-127)
            // but it is also good in general that if we can't parse a URI, then we can't trust it.
            return false;
        }
        // The URI is valid - if it is absolute, then check that it is to the same context
        return !uri.isAbsolute() || RedirectUtils.sameContext(redirectUrl, request);
    }

I discovered that allowAnyUrl is not set to true. Should it not return true if I set allow.any.redirect.url?

Assignee:: Unassigned

Reporter:: Roy Hartono [Atlassian]

Participants:: Roy Hartono [Atlassian]

Votes:: 2 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 02/Jul/2009 11:42 PM

Updated:: 02/Jul/2009 11:46 PM

Last commented:: 15 years, 23 weeks, 4 days ago

Details

Description

Attachments

Forms

Activity

People

Dates