Forum OpenACS Q&A: Re: Redirction to external hosts is not allowed

Collapse
Posted by Dave Bauer on
Can you be more specific. Which code are you using to redirect to your static page.

Redirect to external hosts is NOT allowed unless you use the -allow_complete_url switch to ad_returnredirect.

See: https://openacs.org/api-doc/proc-view?proc=ad_returnredirect

This is there so that an attacker cannot pass a url with return_url=...

to another site where your site will perform a redirect to the attackers web site.

Only use -allow_complete_url where you trust the value that is passed to ad_returnredirect.

Collapse
Posted by Ratnakar Sagare on
Hi Dave,
Thanks for reply,
I am not using any code to redirecting to my static page. I am using 'IndexRedirectUrl' parameter from the subsite parameters to redirect to static page on the same server & not on any external server.
(My redirect page is http://localhost/index.htm)
I have hostname defined in (oacs path)/etc/config.tcl.

Where we can use '-allow_complete_url'?

Ratnakar