[2.x] `LogoutController` permits open redirects

Open imorland opened this issue 2 years ago • 0 comments

Current Behavior

By manipulating the /logout endpoint, it is possible to trigger a redirect to any other url.

Steps to Reproduce

Visit /logout?return=https://evil.com, notice you are redirected to evil.com

Expected Behavior

By default, redirection to other hosts should not be permitted. It should be possible to create a whitelist of domains permitted in neccessary.

Screenshots

No response

Environment

Flarum version: x.y.z
Website URL: http://example.com
Webserver: [e.g. apache, nginx]
Hosting environment: [e.g. shared, vps]
PHP version: x.y.z
Browser: [e.g. chrome 67, safari 11]

Output of `php flarum info`

Output of "php flarum info", run this in terminal in your Flarum directory.

Possible Solution

Fixed on the 1.x branch https://github.com/flarum/framework/pull/3948

Should we follow the same approach, or consider something different? Maybe Introduce a RedirectsServiceProvider as a central place for redirections to reference permitted domains? Perhaps extend RedirectRespose so that it can handle permitted domains behind the scenes?

Additional Context

No response

Jan 05 '24 15:01 imorland

[2.x] `LogoutController` permits open redirects

Current Behavior

Steps to Reproduce

Expected Behavior

Screenshots

Environment

Output of php flarum info

Possible Solution

Additional Context

Output of `php flarum info`