Please sign in to comment.
Fix redirect URL validation bypass
It turns out that browsers silently convert backslash characters into forward slashes, while apr_uri_parse() does not. This mismatch allows an attacker to bypass the redirect URL validation by using an URL like: https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/ mod_auth_mellon will assume that it is a relative URL and allow the request to pass through, while the browsers will use it as an absolute url and redirect to https://malicious.example.org/ . This patch fixes this issue by rejecting all redirect URLs with backslashes.
- Loading branch information...