Closed ssteeltm closed 2 months ago
Hey there,
Thanks for the PR! Been super busy so I haven't had a chance to try this out yet, but I like the idea!
My only issue is that if you put an external link in the URL parameter, it looks like you could potentially divert people to third party websites. This is known as an Open Redirect vulnerability and is generally used in phishing campaigns.
https://portswigger.net/kb/issues/00500100_open-redirection-reflected
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
I'm sure there's a way to mitigate but would love to hear your thoughts?
I see now the potential issue. What if, we just save the uri, since domain we can get from config, and also, we could hash somehow the query parameter
This looks good to me!
The only thing I could think may be an issue is setting the location based off the $_SERVER["REQUEST_SCHEME"]
. I know some will be running ITFlow HTTP (as far as the server is concerned) but then using a reverse proxy/tunnel for the HTTPS. What do you think about defaulting that to HTTPS or //
(which should default to whatever the users browser is connecting with)?
(Nitpick: would be fab if you could add a space after the IF statement and include braces for both - it's our standard, even if there's only one line within the statement).
Either way @johnnyq I'm happy to get this merged for now and fix forward.
Hello, no problem, I'll change if standard. About http scheme, I use haproxy pointing to itflow and didnt have issues wirh it.
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
Looks great to me @wrongecho and thank you for the patch @ssteeltm merging in
to acomplish the discussed in https://forum.itflow.org/d/688-session-expire-should-back-with-current-url
When yout get logged out from session expire, it will save last url tried, to when logging again redirect to it.