Hi, Please review this pull request.
On Sat, Mar 8, 2014 at 6:02 PM, bond- <[email protected]> wrote: > GitHub user bond- opened a pull request: > > https://github.com/apache/sling/pull/12 > > SLING-3443: Parameter based redirection vulnerability in > FormAuthenticationHandler > > *FormAuthenticationHandler* didn't url encode the > parameter(*Authenticator.LOGIN_RESOURCE*) before redirection. This leads > the attacker to use this parameter to redirect to a different domain. This > may also help in phishing attacks. > > This was initially spotted in one of our applications which use > org.apache.sling:org.apache.sling.auth.form:1.0.2 > > This pull request fixes the vulnerability. > > You can merge this pull request into a Git repository by running: > > $ git pull https://github.com/bond-/sling sling-3443 > > Alternatively you can review and apply these changes as the patch at: > > https://github.com/apache/sling/pull/12.patch > > To close this pull request, make a commit to your master/trunk branch > with (at least) the following in the commit message: > > This closes #12 > > ---- > commit d1531735762e7423404f1e304dfc4c483f9556de > Author: Raviteja Lokineni <[email protected]> > Date: 2014-03-08T12:24:52Z > > SLING-3443: Parameter based redirection vulnerability in > FormAuthenticationHandler > > ---- > > > --- > If your project is set up for it, you can reply to this email and have your > reply appear on GitHub as well. If your project does not have this feature > enabled and wishes so, or if the feature is enabled but not working, please > contact infrastructure at [email protected] or file a JIRA ticket > with INFRA. > --- > -- *Ravi Teja Lokineni* | Software Engineer Oracle India Pvt. Ltd. E: [email protected] <https://www.linkedin.com/in/ravitejalokineni>
