Forum OpenACS Development: Re: Security breach in ad_returnredirect! Really?

Collapse
Posted by Gustaf Neumann on
The redirection to absolute URLs is disallowed by default since a while in OpenACS. One can use "-allow_complete_url" to enforce usage to trusted hosts.

see: http://openacs.org/api-doc/proc-view?proc=ad_returnredirect

Collapse
Posted by Frank Bergmann on
There is something going wrong with the check for external_url in my OpenACS 5.7:

util::external_url_p "http://www.google.com/"
=> 0

Frank

Collapse
Posted by Gustaf Neumann on
can it be, that ]po[ was bought in the meantime by google, and this url is therefore internal? :)

anyhow, in oacs-5-8, the test returns correctly =>1

-g