Limit redirecting only to local or whitelisted domains

catalyst / moodle-auth_userkey

Log in to Moodle using one time user key based login URL. Auth plugin for organising simple SSO (single sign on) between moodle and your external web application.

https://moodle.org/plugins/auth_userkey

83 stars 53 forks source link

Limit redirecting only to local or whitelisted domains #97

Open dmitriim opened 1 year ago

dmitriim commented 1 year ago

Currently on logout you can redirect to any URL. Would be more secure to redirect only to internal pages and whitelisted pages. I guess we need a new setting for that.

brendanheywood commented 1 year ago

I would treat the open redirect as a bug and fix that, and treat the whitelist as a bonus points new feature - yes it worked in the past but its an undocumented bug rather than an explicit feature

dmitriim commented 1 year ago

Agree we should fix it brutally by limiting to local URLs only and leave this one open as an enhancement for those who may be suffering.

dmitriim commented 1 year ago

After landing https://github.com/catalyst/moodle-auth_userkey/pull/99 we are redirecting only to internal pages. Which is not ideal and can potentially break some functionality.

Next step would be introducing a new setting for whitelisting domains for redirecting.