https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #19 from David Cook <[email protected]> --- (In reply to Tomás Cohen Arazi from comment #16) > Do we need some form of validation for $return? 100% The "return" param could either be window.location.pathname + window.location.search so the Perl could append that to OpacBaseURL, or "return" could be a full URL, and the Perl replaces the hostname with OpacBaseURL. This is the approach we use in C4::Auth_with_shibboleth, and it's something I've used elsewhere as well. The only downside I see is that it locks you into using the particular OpacBaseURL you have defined for that virtual host. Either way, we definitely need to validate/construct the URL, or else we're creating this problem: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
