You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@sling.apache.org by Jason Bailey <Ja...@sas.com> on 2014/03/04 17:43:18 UTC
Sling :redirect as a security vulnerability
We're reviewing our recent security scans and we had a red flag on the usage of ":redirect" in our forms. It's being flagged as a potential attack vector as you can set this to any url.
So knowing that these reports are indicators of potential problems and not always valid. I wanted to get some clarity from the sling user base to whether they have seen this before, is there a setting that I am missing? Or do I need to do some additional to prevent this from being an issue? Etc.
Thanks
-Jason Bailey
Re: Sling :redirect as a security vulnerability
Posted by Ravi Teja Lokineni <ra...@gmail.com>.
I have added a pull request(include testcase) to fix this vulnerability
https://github.com/apache/sling/pull/12
On Thu, Mar 6, 2014 at 4:32 PM, bond <ra...@gmail.com> wrote:
> I got this on one of the scans as well. The problem lies in
>
> http://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java
> ,
> FYI in my case
>
> Code in trunk:
> if (resource != null) {
> try {
> response.sendRedirect(resource);
> } catch (IOException ioe) {
> log.error("Failed to send redirect to: " +
> resource, ioe);
> }
>
> // terminate request, all done
> result = true;
> }
>
> Suggested code change, change response.sendRedirect to senRedirect(This
> method url encodes the resource parameter):
> if (resource != null) {
> try {
> sendRedirect(resource);
> } catch (IOException ioe) {
> log.error("Failed to send redirect to: " +
> resource, ioe);
> }
>
> // terminate request, all done
> result = true;
> }
>
>
>
> --
> View this message in context:
> http://apache-sling.73963.n3.nabble.com/Sling-redirect-as-a-security-vulnerability-tp4031637p4031741.html
> Sent from the Sling - Users mailing list archive at Nabble.com.
>
--
*Ravi Teja Lokineni* | Software Engineer
Oracle India Pvt. Ltd.
E: raviteja.lokineni@gmail.com
<https://www.linkedin.com/in/ravitejalokineni>
Re: Sling :redirect as a security vulnerability
Posted by bond <ra...@gmail.com>.
I got this on one of the scans as well. The problem lies in
http://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java,
FYI in my case
Code in trunk:
if (resource != null) {
try {
response.sendRedirect(resource);
} catch (IOException ioe) {
log.error("Failed to send redirect to: " + resource, ioe);
}
// terminate request, all done
result = true;
}
Suggested code change, change response.sendRedirect to senRedirect(This
method url encodes the resource parameter):
if (resource != null) {
try {
sendRedirect(resource);
} catch (IOException ioe) {
log.error("Failed to send redirect to: " + resource, ioe);
}
// terminate request, all done
result = true;
}
--
View this message in context: http://apache-sling.73963.n3.nabble.com/Sling-redirect-as-a-security-vulnerability-tp4031637p4031741.html
Sent from the Sling - Users mailing list archive at Nabble.com.
Re: Sling :redirect as a security vulnerability
Posted by Carsten Ziegeler <cz...@apache.org>.
If you're using the Sling security bundle, the referrer is checked for POST
requests which should give you enough protection.
Carsten
2014-03-04 17:43 GMT+01:00 Jason Bailey <Ja...@sas.com>:
> We're reviewing our recent security scans and we had a red flag on the
> usage of ":redirect" in our forms. It's being flagged as a potential attack
> vector as you can set this to any url.
> So knowing that these reports are indicators of potential problems and not
> always valid. I wanted to get some clarity from the sling user base to
> whether they have seen this before, is there a setting that I am missing?
> Or do I need to do some additional to prevent this from being an issue? Etc.
>
> Thanks
>
> -Jason Bailey
>
--
Carsten Ziegeler
cziegeler@apache.org