Is it safe to put the following code (check if "url" starts with http://
or https://) in casLogoutView.jsp, in order to "re-enable" url parameter
functionality as defined in http://www.jasig.org/cas/protocol (section
2.3.1)?
Let me give you the background for the removal of that feature. It was
pointed out that the url parameter was under the control of the client,
so it could be manipulated to embed content or point the user to a
malicious site. We removed it as a precaution: better to err on the
side of security. As long as you escape XML content, you protect
against the first concern, but there's no simple protection against the
possibility of a malicious site offering a link like the following:
https://cas.example.com/cas/logout?url=https://thepiratebay.se
While one would hope that the target URL is patently clear in most
cases, I can imagine cases where the target URL could be disguised to
look like an institutional service. (See
http://en.wikipedia.org/wiki/IDN_homograph_attack for one possible
avenue.) While the risk of this kind of attack is fairly low, it is yet
a risk.
For what it's worth, we still have this feature enabled in our
environment, simply taking care to escape XML content.
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
