---
** [tickets:#7545] return_to param should be validated for relative URLs**
**Status:** closed
**Milestone:** asf_release_1.2.0
**Labels:** security sf-1
**Created:** Mon Jul 07, 2014 04:32 PM UTC by Dave Brondsema
**Last Updated:** Wed Dec 03, 2014 11:35 AM UTC
**Owner:** Cory Johns
The login form return_to param should only accept relative urls, and not
external urls. An easy check is that '//' is not in the return_to URL (it
matches protocol-less urls too).
This will prevent phishing sites from taking advantage the login flow to
present a malicious page.
---
Sent from forge-allura.apache.org because [email protected] is subscribed
to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at
https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is
a mailing list, you can unsubscribe from the mailing list.
