Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open redirections are bad #506

Closed
Etiennef opened this issue Mar 1, 2016 · 2 comments
Closed

Open redirections are bad #506

Etiennef opened this issue Mar 1, 2016 · 2 comments

Comments

@Etiennef
Copy link

@Etiennef Etiennef commented Mar 1, 2016

Hello,
Being unsatisfied by the redirection mechanism UN GLPI 0.84, I decided to check if it had changed in more recent version. The answer was yes, and although I like the fact that having to authenticate does not lose track of which like you used, I could not help to notice that it allows redirection without checking anything.
I'm pretty sure it has to be considered as a security breach. Not a major one, but still. Right now, if you use a link like this one : http://glpi.localhost/index.php?redirect=https%3A%2F%2Fwww.owasp.org%2Findex.php%2FOpen_redirect, you can redirect anyone to any page.
I'm pretty new to git usage and github, but I'll try to make a pull-request with a very minor fix against that. Basically, my proposition is to allow redirection only if it redirects toward this entity of glpi (as I don't see any situation where it would be justified to use GLPI to redirect to somewhere else).
It is only a proposition, of course, as I'm not entirely sure it won't have any side effect, and not a complete one either, as I add a message, and did not take in account translation doing so.

@Etiennef Etiennef changed the title Open redirection are bad Open redirections are bad Mar 1, 2016
@orthagh orthagh added this to the 0.90.2 milestone Mar 2, 2016
@orthagh
Copy link
Contributor

@orthagh orthagh commented Mar 2, 2016

see 9cd97f9 & 78a9122

@orthagh orthagh closed this as completed Mar 2, 2016
@orthagh
Copy link
Contributor

@orthagh orthagh commented Mar 21, 2016

missing parts added in 10cd7b0 & 8fbf6ef

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants