- **status**: code-review --> closed - **private**: Yes --> No - **QA**: Dave Brondsema
--- ** [tickets:#7545] return_to param should be validated for relative URLs** **Status:** closed **Milestone:** forge-jul-25 **Labels:** security **Created:** Mon Jul 07, 2014 04:32 PM UTC by Dave Brondsema **Last Updated:** Mon Jul 14, 2014 02:52 PM UTC **Owner:** Cory Johns The login form return_to param should only accept relative urls, and not external urls. An easy check is that '//' is not in the return_to URL (it matches protocol-less urls too). This will prevent phishing sites from taking advantage the login flow to present a malicious page. --- Sent from sourceforge.net because [email protected] is subscribed to https://sourceforge.net/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
