Forum OpenACS Development: Header Injection
ad_returnredirect doesn't check the URL parameter for \n line breaks and so allows to modify the header of the response. Here is the explanation:
You can test this behavior on any ]po[ page (for example: http://po40demo.project-open.net/intranet/, firstname.lastname@example.org, passwd=ben). Then enter the URL: /intranet/biz-object-tree-open-close?open%5fp=c&return%5furl=b5a54%0d%0aa882d&object%5fid=29137&page%5furl=default&user%5fid=624
The resulting HTTP response contains:
The problem occurs because ad_returnredirect passes on the %0d and %0a characters to the response header. So sanitizing the return_url this way should be mostly harmless and be a security enhancement for OpenACS 5.8, isn't it?
many thanks for reporting!
however, the "double-fix" in OpenACS fixes the ad_returnredirect case for older versions of NaviServer and AolServer as well.