Security issue with redirect url

[jerone]

d2a8b62#commitcomment-10437728

This change creates a big security issue. One from the OWASP top 10 violation: OWASP A10 - Unvalidated Redirect.

You publicly store the redirect url without validating it, which is valuable for phishing and spam. The session redirect wasn't perfect too without validation, but at least it was hidden from the public.

[sizzlemctwizzle]

I knew I forgot to do something. Nice catch.

[Martii]

This feature should probably default to / when authentication changes to guest e.g. when I log out and I'm on an admin page it currently "gracefully fails" which mucks up the logs a bit.

[Martii]

Redirect loop detected... log in with an account that doesn't exist to have it redirect back to /register... then login with one that does and redirect takes it back to /register ... auth routine okay but redirect validation needed.

[Martii]

@sizzlemctwizzle and/or @jerone
Is there some reason why getRedirect() is in two places (here and here) and is exactly the same code? Would it be prudent to place it in ./libs/helpers.js or somewhere more common for reuse?

I do see the hostname check in these but no domain validation either. I'm thinking we are missing both near and far tampering (checks) too.

[jerone]

In an attempt to clean up my created issues that have not been processed or updated over a year, I'm closing this issue. If this issue is still relevant, please reopen another issue.