Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Fixed open redirect security vulnerability #1383
The previous filter searched for two forward slashes "//" in the "_next” parameter and if the two forward slashes were found it would check the URI and determine if the hostname matched the hostname of the web server. If the hostname did not match, it would change the "next" variable to the None. However, browsers don't require two forward slashes. As a feature, browsers accept typos such as http:google.com or http:/google.com and redirect to http://google.com. This can be used to leverage an open redirect attack even with the current filter. This commit fixes the open redirect vulnerability in the _next get parameter. Thanks to jnbrex for helping debug/write the patch for this vulnerability.
Note: when testing this vulnerability, you must change the protocol in the URI. For example: if you are hosting the site using http, your redirect must go to a https site. Furthermore: http://web2py.com?_next=https:/malicioussite.com
Current coverage is 51.22%
@@ master #1383 diff @@ ========================================== Files 43 43 Lines 17358 17361 +3 Methods 0 0 Messages 0 0 Branches 4064 4067 +3 ========================================== Hits 8894 8894 Misses 7396 7396 - Partials 1068 1071 +3