hi Konrad On Mar 2, 2015, at 5:55 PM, Konrad Windszus <[email protected]> wrote:
> Hi, > > in https://issues.apache.org/jira/browse/SLING-3141 > <https://issues.apache.org/jira/browse/SLING-3141> there was an issue fixed > which made it possible to redirect from a Sling instance to another server > with a forged GET-request (although there was a hop in the middle necessary > which was the Login Form being provided by Sling). > > Currently the Sling Post Servlet > (https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305 > > <https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305>) > does not validate the value being passed for parameter :redirect > (http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect > > <http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect>). > Although I think it can only be exploited similarly to SLING-3141 in case > there is vulnerability also in the script rendering the form, it should still > not be allowed to pass arbitrary hosts IMHO. I think the same restrictions as > for resources in the Sling Authenticators make sense here. For that we could > leverage the method AuthUtil.isRedirectValid > (https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451 > > <https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451>), > although one probably needs to move that method somewhere else to prevent a > direct dependency from Sling Servlets Post Bundle to the Sling Auth Core > Bundle > > WDYT? > > In case you agree I would create a JIRA issue for that and try to come up > with a fix. it sounds like a plan :) regards antonio > Thanks, > Konrad
