Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-61774

Update PortalImpl escapeRedirect and use WARN instead of DEBUG to notify the Admins when the redirect to a given domain or IP address is forbidden

    Details

      Description

      com.liferay.portal.util.PortalImpl.escapeRedirect(String url) logs on DEBUG level if the given url would redirect to a domain or IP address that is not allowed:

      12:28:48,065 DEBUG [http-bio-8080-exec-6][PortalImpl:841] Redirect URL http://myip.asd:8080/group/control_panel/manage/-/server/resources?refererPlid=20185&controlPanelCategory=configuration&_137_delta=0&_137_cur=0 is not allowed
      

      However, we should use WARN to let portal server administrators distinguish easily attempts (based on the log) to redirect to an invalid location.

        Attachments

        1. fix61774.png
          fix61774.png
          32 kB
        2. fix61774master.png
          fix61774master.png
          29 kB
        3. reproduce61774.png
          reproduce61774.png
          16 kB

          Issue Links

            Activity

              People

              Assignee:
              ian.song Ian Song (Inactive)
              Reporter:
              tibor.lipusz Tibor Lipusz
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                4 years, 42 weeks, 5 days ago

                  Packages

                  Version Package
                  6.1.X EE
                  6.2.X EE
                  7.0.0 Beta 3