Forum OpenACS Development: Re: Security breach in ad_returnredirect! Really?

Collapse
3: Re: Security breach in ad_returnredirect! Really? (response to 1)
Posted by Gustaf Neumann on 05/23/14 02:12 PM
The redirection to absolute URLs is disallowed by default since a while in OpenACS. One can use "-allow_complete_url" to enforce usage to trusted hosts.

see: https://openacs.org/api-doc/proc-view?proc=ad_returnredirect

Collapse
4: Re: Security breach in ad_returnredirect! Really? (response to 3)
Posted by Frank Bergmann on 05/23/14 02:28 PM
There is something going wrong with the check for external_url in my OpenACS 5.7:

util::external_url_p "http://www.google.com/";
=> 0

Frank

Collapse
5: Re: Security breach in ad_returnredirect! Really? (response to 4)
Posted by Gustaf Neumann on 05/23/14 03:23 PM
can it be, that ]po[ was bought in the meantime by google, and this url is therefore internal? :)

anyhow, in oacs-5-8, the test returns correctly =>1

-g