Evaluate and fix issue known to OpenAM as #201801-04

WrenSecurity / wrenam

Community fork of OpenAM, an authentication and authorization system originally developed by ForgeRock.

Other

43 stars 27 forks source link

Evaluate and fix issue known to OpenAM as #201801-04 #13

Open siepkes opened 6 years ago

siepkes commented 6 years ago

Since we share a common heritage with OpenAM the issue described here as "Issue #201801-04: Open Redirect" probably affects wren:AM too.

We need to evaluate if and how this issue affects wren:AM and fix it.

pavelhoral commented 5 years ago

The issue is with handling goto and gotoOnFail parameters. There are 2 affected components: RESTLoginView and CommonConfig (part of Commons UI project).

I can see that latest updates to UI (maybe together with introduction of React) introduced special gotoUrl component, but that is just a parameter wrapper without any sanitization / validation logic.

TL;DR This issue applies to us.