wrenam icon indicating copy to clipboard operation
wrenam copied to clipboard
verified publisher icon WrenSecurity

Evaluate and fix issue known to OpenAM as #201801-04

Open siepkes opened this issue 7 years ago • 1 comments

Since we share a common heritage with OpenAM the issue described here as "Issue #201801-04: Open Redirect" probably affects wren:AM too.

We need to evaluate if and how this issue affects wren:AM and fix it.

siepkes avatar Mar 11 '18 15:03 siepkes

The issue is with handling goto and gotoOnFail parameters. There are 2 affected components: RESTLoginView and CommonConfig (part of Commons UI project).

I can see that latest updates to UI (maybe together with introduction of React) introduced special gotoUrl component, but that is just a parameter wrapper without any sanitization / validation logic.

TL;DR This issue applies to us.

pavelhoral avatar Sep 07 '18 12:09 pavelhoral