Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-8038

RedirectClientCallback puts full URLs into target parameter

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Neutral
    • None
    • 6.2.4
    • None
    • None

    Description

      In Magnolia 6.2.4 the MAGNOLIA-7915 changes to LoginFilter were made that only permit redirects to relative URLs.

      But when RedirectClientCallback is used to redirect user form the restricted page to login form it injects Full URL into redirect. That makes it incompatible with LoginFilter.

      For example, when user request a restricted "/account" page, and the SecurityCallbackFilter is configured to use RedirectClientCallback the latter will send a redirect respone to a URL like "/account-login?from=http%3A%2F%2Fexample.org%2Faccount".

      That /account-login page will take the "from" parameter value of "http://example.org/account" and typically put it inside login form in "mgnlReturnTo" field.

      When login credentials are then posted, the LoginFilter will take the full return URL from "mgnlReturnTo" request parameter and reject it as unsafe.

      Correct behaviour for RedirectClientCallback wold be to inject "root" URL representation into redirect URL, e.g. "/account-login?from=%2Faccount".

       

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                eespana Enrique Espana
                azavodnik Andrey Zavodnik
                AdminX
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:
                  Work Started:

                  Checklists

                    Bug DoR
                    Task DoD