Hello Jérôme,
Hi,
XML escaping, nor "http:(s)" check won't protect you against malicious redirect
urls like Marvin wrote : https://cas.example.com/cas/logout?url=https://thepiratebay.se.
I agree. As I see it, there are two issues that must be addressed:
1) Protect from invalid url parameter contents (i.e protect from
executing malicious code)
2) Protect from redirecting to unwanted urls (i.e
https://cas.example.com/cas/logout?url=https://thepiratebay.se)
So my original question would now be... Are XML escaping and 'http(s)
check' "enough" measures to address the first issue? Are there any
other ideas/comments/...?
We faced the same problem and we had to check the host of the redirect url to avoid
security breach and unwanted redirections. You could do that with regexp pattern matching
or simple String.startsWith test (if
url.startsWith("http://www.authorizedurl.com/";)).
Best regards,
Jérôme
That's a better approach, than the http(s) only check, that should
address both issues...
Thanks,
Pavlos
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
