Hi, in https://issues.apache.org/jira/browse/SLING-3141 <https://issues.apache.org/jira/browse/SLING-3141> there was an issue fixed which made it possible to redirect from a Sling instance to another server with a forged GET-request (although there was a hop in the middle necessary which was the Login Form being provided by Sling).
Currently the Sling Post Servlet (https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305 <https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305>) does not validate the value being passed for parameter :redirect (http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect <http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect>). Although I think it can only be exploited similarly to SLING-3141 in case there is vulnerability also in the script rendering the form, it should still not be allowed to pass arbitrary hosts IMHO. I think the same restrictions as for resources in the Sling Authenticators make sense here. For that we could leverage the method AuthUtil.isRedirectValid (https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451 <https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451>), although one probably needs to move that method somewhere else to prevent a direct dependency from Sling Servlets Post Bundle to the Sling Auth Core Bundle WDYT? In case you agree I would create a JIRA issue for that and try to come up with a fix. Thanks, Konrad
