You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Konrad Windszus (JIRA)" <ji...@apache.org> on 2015/03/03 10:07:04 UTC
[jira] [Commented] (SLING-4469) SlingPostServlet: do not allow
redirects to other hosts
[ https://issues.apache.org/jira/browse/SLING-4469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14344771#comment-14344771 ]
Konrad Windszus commented on SLING-4469:
----------------------------------------
Attached is a patch which prevents redirects to other hosts.
> SlingPostServlet: do not allow redirects to other hosts
> -------------------------------------------------------
>
> Key: SLING-4469
> URL: https://issues.apache.org/jira/browse/SLING-4469
> Project: Sling
> Issue Type: Improvement
> Affects Versions: Servlets Post 2.3.6
> Reporter: Konrad Windszus
> Assignee: Konrad Windszus
> Attachments: SLING-4469-v01.patch
>
>
> Through the {{:redirect}} parameter of the {{SlingPostServlet}} arbitrary redirects are possible (http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect). That should be limited so that redirects to other servers are not possible.
> Compare also with discussion at: http://www.mail-archive.com/dev@sling.apache.org/msg43348.html.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)