Uploaded image for project: 'atlassian-seraph'
  1. atlassian-seraph
  2. SER-137

allow.any.redirect.url in seraph-config.xml is not respected in Confluence 3.0.0_01

    XMLWordPrintable

Details

    • Bug
    • Status: Open
    • Medium
    • Resolution: Unresolved
    • 0.38.3
    • None
    • None
    • true

    Description

      Tested in Confluence 3.0.0_01.

      I tried adding the allow.any.redirect.url parameter in my local instance and tested redirection with the following:
      http://localhost:8080/login.action?os_destination=%2Fdisplay%2Fsand%2FHome

      And this setting in seraph-config.xml:

      <init-param>
      <param-name>allow.any.redirect.url</param-name>
      <param-value>true</param-value>
      </init-param>
      

      The code involved is:

      public boolean allowedRedirectDestination(final String redirectUrl, final HttpServletRequest request)
          {
              // Test for total trust
              if (allowAnyUrl)
              {
                  return true;
              }
              // Otherwise we use default behaviour: allow valid redirects to the same context.
              URI uri;
              try
              {
                  // Attempt to parse the URI
                  uri = new URI(redirectUrl);
              }
              catch (URISyntaxException e)
              {
                  // Invalid URI - not allowed. This stops possible header injection attacks (see SER-127)
                  // but it is also good in general that if we can't parse a URI, then we can't trust it.
                  return false;
              }
              // The URI is valid - if it is absolute, then check that it is to the same context
              return !uri.isAbsolute() || RedirectUtils.sameContext(redirectUrl, request);
          }
      

      I discovered that allowAnyUrl is not set to true. Should it not return true if I set allow.any.redirect.url?

      Attachments

        Activity

          People

            Unassigned Unassigned
            rhartono Roy Hartono [Atlassian]
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              13 years, 8 weeks, 2 days ago