dxbjavid opened a new pull request, #3241: URL: https://github.com/apache/cxf/pull/3241
when the rp sign-in flow completes, OidcRpAuthenticationService redirects the browser to the state value, which OidcRpAuthenticationFilter copies straight from the current request parameters, so a request such as /rp/complete?state=https://evil.example against an authenticated session returns a 303 to an arbitrary external host, an open redirect. the legitimate value is always the application's own request uri, so completeAuthentication now only honours a location that is relative or shares the same scheme and authority as the base path, otherwise it falls back to the configured default location. the added test covers the cross-origin, protocol-relative and userinfo-host variants. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
