Currently the next query parameter allows for unvalidated redirects. An attacker can send a link to a user containing a complete URL, such as "http://maritini.com/logout?next=http://evil.com". Since next is not validated, the user will be sent to "http://evil.com".
To solve this I added an extractPath function which attempts to parse the next variable and return its Path. If there is an error parsing it returns "/"
rakyll
commented
10 years ago
Currently the next query parameter allows for unvalidated redirects. An attacker can send a link to a user containing a complete URL, such as "http://maritini.com/logout?next=http://evil.com". Since next is not validated, the user will be sent to "http://evil.com".
To solve this I added an extractPath function which attempts to parse the next variable and return its Path. If there is an error parsing it returns "/"