[
https://issues.apache.org/jira/browse/SLING-2287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger resolved SLING-2287.
--------------------------------------
Resolution: Fixed
Fix Version/s: Auth Core 1.0.8
Checking the redirect after logout as of Rev. 1202125.
In Rev. 1202128 also changed the default redirect (if not otherwise set) to
null (thus /) instead of the servlet context path, since the servlet context
path is being prefixed any way.
> Redirect after logging out is not validating the redirect link thus allowing
> to redirect outside of the scope of Sling
> ----------------------------------------------------------------------------------------------------------------------
>
> Key: SLING-2287
> URL: https://issues.apache.org/jira/browse/SLING-2287
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Auth Core 1.0.6
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Auth Core 1.0.8
>
>
> After logging out the Sling Authenticator can be instructed to redirect to
> somewhere else. This link is not currently checked for validity.
> Thus it is possible to redirect to another site after logging out.
> The idea, though, is to redirect to another location inside the same site
> after logging out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
