Forum OpenACS Development: ad_returnredirect and external auth

We updated a local install with a recent version of the toolkit and discovered that someone broke the external authority recover password feature by adding some "redirection to external hosts not allowed" code. There needs to be a list of allowed external hosts so that the authentication package can forward people to external password management hosts.

Anyone remember who added this feature/bug and/or have any suggestions on how to fix it?

Redirection to external hosts is not allowed.
while executing
"error "Redirection to external hosts is not allowed.""
(procedure "ad_returnredirect" line 13)
invoked from within
"ad_returnredirect $forgotten_url"
(procedure "auth::password::recover_password" line 32)

Posted by Dave Bauer on
There is an optional parameter to ad_returnredirect.

The recover_password procedure should use a configuration of the external authority to redirect to the the explicit URL only using the optional parameter.

if { $forgotten_url ne "" } {
ad_returnredirect $forgotten_url

could be changed to use the new allow_complete_url parameter.

ad_proc -public ad_returnredirect {
{-message {}}
} {

Posted by Dave Bauer on
A list of allowed hosts is not secure. This would allow anyone to craft a link that included a return_url that was not designated by the application.

Using the configured password URL for the authority is ok since its not user supplied data. So by default we always reject external urls just like we HTML quote data supplied in variables that could be user entered data. Return_url is usually passed in as a URL varaible so it needs to be checked for valid input.

Anyplace you are using a return_url that has been supplied by the system instead of URL variable you can use the allow_complete_url switch to allow external urls.