You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Felix Meschberger (Created) (JIRA)" <ji...@apache.org> on 2011/11/15 11:52:51 UTC
[jira] [Created] (SLING-2287) Redirect after logging out is not
validating the redirect link thus allowing to redirect outside of the scope
of Sling
Redirect after logging out is not validating the redirect link thus allowing to redirect outside of the scope of Sling
----------------------------------------------------------------------------------------------------------------------
Key: SLING-2287
URL: https://issues.apache.org/jira/browse/SLING-2287
Project: Sling
Issue Type: Bug
Components: Authentication
Affects Versions: Auth Core 1.0.6
Reporter: Felix Meschberger
Assignee: Felix Meschberger
After logging out the Sling Authenticator can be instructed to redirect to somewhere else. This link is not currently checked for validity.
Thus it is possible to redirect to another site after logging out.
The idea, though, is to redirect to another location inside the same site after logging out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (SLING-2287) Redirect after logging out is not
validating the redirect link thus allowing to redirect outside of the scope
of Sling
Posted by "Felix Meschberger (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger resolved SLING-2287.
--------------------------------------
Resolution: Fixed
Fix Version/s: Auth Core 1.0.8
Checking the redirect after logout as of Rev. 1202125.
In Rev. 1202128 also changed the default redirect (if not otherwise set) to null (thus /) instead of the servlet context path, since the servlet context path is being prefixed any way.
> Redirect after logging out is not validating the redirect link thus allowing to redirect outside of the scope of Sling
> ----------------------------------------------------------------------------------------------------------------------
>
> Key: SLING-2287
> URL: https://issues.apache.org/jira/browse/SLING-2287
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Auth Core 1.0.6
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Auth Core 1.0.8
>
>
> After logging out the Sling Authenticator can be instructed to redirect to somewhere else. This link is not currently checked for validity.
> Thus it is possible to redirect to another site after logging out.
> The idea, though, is to redirect to another location inside the same site after logging out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira