Skip to content

Tighten redirect handling in the OpenID service #100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 5 commits into from
Closed

Tighten redirect handling in the OpenID service #100

wants to merge 5 commits into from

Conversation

jonasbardino
Copy link
Contributor

Tighten redirects in built-in OpenID service as discussed internally in follow-up to external reporting.

@jonasbardino
Add fundamental checking that destination URL is site-local before ac…
2c74487 
…cepting

redirect there the value may come from an untrusted query argument, which may e.g. have
been crafted by the user or even a malicious 3rd party gone phishing. Includes
simple inline unit tests for now.
@jonasbardino
ync different paths to showErrorPage on response encoding and request…
bdb6e30 
… decoding

errors in order to make masking of credentials consistent.
Switch from displayResponse to showErrorPage directly to avoid unwanted side
effects like e.g. any return_to variables in the request being applied even on
such encoding/decoding failure.
@jonasbardino
Moved simple inline unit tests to the proper unit test structure.
d96964e
@jonasbardino jonasbardino added bug Something isn't working unit test labels Aug 5, 2024
@jonasbardino jonasbardino self-assigned this Aug 5, 2024
albu-diku
albu-diku reviewed Aug 6, 2024
View reviewed changes
albu-diku
albu-diku reviewed Aug 6, 2024
View reviewed changes
@jonasbardino
Adjusted to take albu-diku review into account. Moved generic generat…
999ac8c 
…or method

up as module function and all test strings up as top-level 'constants'.
@jonasbardino
Copy link
Contributor Author

Manually merged through svn.

@jonasbardino
Copy link
Contributor Author

For the record the fix is included in the 20240807 and any later releases.
Thanks again to Kasper Karlsson, Senior Security Researcher at Omegapoint for reporting the issue.

@jonasbardino jonasbardino deleted the fix/openid_tighten_redirect_handling branch August 8, 2024 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@albu-diku albu-diku albu-diku left review comments

@Martin-Rehr Martin-Rehr Awaiting requested review from Martin-Rehr

Assignees

@jonasbardino jonasbardino

Labels
bug Something isn't working
Projects
None yet
Milestone
Python3 support for sensitive data sites
Development

Successfully merging this pull request may close these issues.
2 participants
@jonasbardino @albu-diku