-
-
Notifications
You must be signed in to change notification settings - Fork 826
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[1.x] fix: Logout controller allows open redirects #3948
Conversation
8d3da22
to
bf95872
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be nice to see an integration test, but otherwise the code makes sense!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haven't tested this, but left some comments for improvement.
I did try, however we need to make some changes to For example: public function logout_with_forum_redirect(string $returnUrl)
{
$encodedReturnUrl = urlencode($returnUrl);
$response = $this->send(
$this->request('GET', '/logout?return=' . $encodedReturnUrl)
);
$this->assertEquals(302, $response->getStatusCode());
$this->assertEquals($returnUrl, $response->getHeaderLine('location'));
} This is a test I attempted to write for this, but we currently don't have the ability to pass the query, due to
|
Prevents open redirects on the
LogoutController
By default, only return URL's on the forum host are permitted. Additional domains may be whitelisted using
config.php
: