Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[2.x] LogoutController permits open redirects #3949

Closed
imorland opened this issue Jan 5, 2024 · 0 comments · Fixed by #4091
Closed

[2.x] LogoutController permits open redirects #3949

imorland opened this issue Jan 5, 2024 · 0 comments · Fixed by #4091
Assignees
@SychO9
Labels
type/bug

Comments

@imorland
Copy link
Member

imorland commented Jan 5, 2024

Current Behavior

By manipulating the /logout endpoint, it is possible to trigger a redirect to any other url.

Steps to Reproduce

Visit /logout?return=https://evil.com, notice you are redirected to evil.com

Expected Behavior

By default, redirection to other hosts should not be permitted. It should be possible to create a whitelist of domains permitted in neccessary.

Screenshots

No response

Environment

  • Flarum version: x.y.z
  • Website URL: http://example.com
  • Webserver: [e.g. apache, nginx]
  • Hosting environment: [e.g. shared, vps]
  • PHP version: x.y.z
  • Browser: [e.g. chrome 67, safari 11]

Output of php flarum info

Output of "php flarum info", run this in terminal in your Flarum directory.

Possible Solution

Fixed on the 1.x branch #3948

Should we follow the same approach, or consider something different? Maybe Introduce a RedirectsServiceProvider as a central place for redirections to reference permitted domains? Perhaps extend RedirectRespose so that it can handle permitted domains behind the scenes?

Additional Context

No response
@imorland imorland changed the title [2.x] `LogoutController' permits open redirects [2.x] LogoutController permits open redirects Jan 5, 2024
@SychO9 SychO9 added this to the 2.0 milestone Oct 24, 2024
@SychO9 SychO9 self-assigned this Oct 24, 2024
@SychO9 SychO9 mentioned this issue Oct 24, 2024
Merged
@SychO9 SychO9 removed this from the 2.0 milestone Oct 24, 2024
@SychO9 SychO9 closed this as completed Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SychO9 SychO9

Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Logout controller allows open redirects (#3948) flarum/framework
2 participants
@imorland @SychO9