Merge ~pelpsi/launchpad:avoid-open-redirect-attack-on-logout into launchpad:master
Proposed by
Simone Pelosi
Status: | Merged |
---|---|
Approved by: | Simone Pelosi |
Approved revision: | 60cf04570d5ade9b5014bd906f5a0797af504fef |
Merge reported by: | Otto Co-Pilot |
Merged at revision: | not available |
Proposed branch: | ~pelpsi/launchpad:avoid-open-redirect-attack-on-logout |
Merge into: | launchpad:master |
Diff against target: |
95 lines (+56/-3) 2 files modified
lib/launchpad_loggerhead/app.py (+8/-2) lib/launchpad_loggerhead/tests.py (+48/-1) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Colin Watson (community) | Approve | ||
Review via email: mp+439730@code.launchpad.net |
Commit message
Restricted user control on next_to redirect
A penetration test found that lougot redirect is vulnerable to open redirect
attack. "next_to" url is now validated: if it belongs to our domains, the
user is redirected to that url, otherwise the user is redirected to
a default url (homepage).
To post a comment you must log in.
Thanks for the correction. Could you also add a test that a request to `config. codehosting. secure_ codebrowse_ root + "+logout?" + urlencode( {"next_ to": config. launchpad. openid_ provider_ root + "+logout"})` works, since that's roughly what `CookieLogoutPage` does? (No need for re-review after adding that.)