[MAGNOLIA-8038] RedirectClientCallback puts full URLs into target parameter Created: 25/Mar/21  Updated: 15/Mar/23  Resolved: 15/Mar/23

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 6.2.4
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Andrey Zavodnik Assignee: Enrique Espana
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
duplicate
duplicates MAGNOLIA-7502 RedirectClientCallback is not working... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Epic Link: AdminX maintenance
Team: AdminX
Work Started:

 Description   

In Magnolia 6.2.4 the MAGNOLIA-7915 changes to LoginFilter were made that only permit redirects to relative URLs.

But when RedirectClientCallback is used to redirect user form the restricted page to login form it injects Full URL into redirect. That makes it incompatible with LoginFilter.

For example, when user request a restricted "/account" page, and the SecurityCallbackFilter is configured to use RedirectClientCallback the latter will send a redirect respone to a URL like "/account-login?from=http%3A%2F%2Fexample.org%2Faccount".

That /account-login page will take the "from" parameter value of "http://example.org/account" and typically put it inside login form in "mgnlReturnTo" field.

When login credentials are then posted, the LoginFilter will take the full return URL from "mgnlReturnTo" request parameter and reject it as unsafe.

Correct behaviour for RedirectClientCallback wold be to inject "root" URL representation into redirect URL, e.g. "/account-login?from=%2Faccount".

 



 Comments   
Comment by Enrique Espana [ 15/Mar/23 ]

This issue will be fixed in the related ticket MAGNOLIA-7502

Generated at Mon Feb 12 04:29:05 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.