The popular NotFound handler for ASP.NET Core and Optimizely, enabling better control over your 404 page in addition to allowing redirects for old URLs that no longer works.
I posted this issue a couple of months back (on april 24th this year, link), but that was in the previous version (for epi <= 11).
This issue is still active. After filing my issue I created middleware to prevent redirection to not-trusted-sites that would intercept redirects from the notfound-handler to sites we don't trust.
Here what I posted previously:
It seems that when I redirect to a relative url in the root it enables an open redirect. This seems to be introduced in the new version of the NotFound-handler.
This is the redirect-rule which was enabled in the old (episerver 11) version (I replaced our site in the example below):
I posted this issue a couple of months back (on april 24th this year, link), but that was in the previous version (for epi <= 11). This issue is still active. After filing my issue I created middleware to prevent redirection to not-trusted-sites that would intercept redirects from the notfound-handler to sites we don't trust. Here what I posted previously:
It seems that when I redirect to a relative url in the root it enables an open redirect. This seems to be introduced in the new version of the NotFound-handler.
This is the redirect-rule which was enabled in the old (episerver 11) version (I replaced our site in the example below):
This rule was exported from episerver 11 and imported in the new version in version 12.
When this rule is enabled in the new version we enable an open redirect. As an example, navigating to this url: https://www.oursite.nl/www/somesite/nl/google.com will redirect the browser to google.com. The location-header is set to https://google.com/?utm_source=www.somesite.nl&utm_medium=redirect&utm_campaign=rebranding