Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-61774

Update PortalImpl escapeRedirect and use WARN instead of DEBUG to notify the Admins when the redirect to a given domain or IP address is forbidden

Details

    Description

      com.liferay.portal.util.PortalImpl.escapeRedirect(String url) logs on DEBUG level if the given url would redirect to a domain or IP address that is not allowed:

      12:28:48,065 DEBUG [http-bio-8080-exec-6][PortalImpl:841] Redirect URL http://myip.asd:8080/group/control_panel/manage/-/server/resources?refererPlid=20185&controlPanelCategory=configuration&_137_delta=0&_137_cur=0 is not allowed
      

      However, we should use WARN to let portal server administrators distinguish easily attempts (based on the log) to redirect to an invalid location.

      Attachments

        1. fix61774.png
          fix61774.png
          32 kB
        2. fix61774master.png
          fix61774master.png
          29 kB
        3. reproduce61774.png
          reproduce61774.png
          16 kB

        Issue Links

          Activity

            People

              ian.song Ian Song (Inactive)
              tibor.lipusz Tibor Lipusz
              Rafaela Nascimento Rafaela Nascimento
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                7 years, 4 weeks, 3 days ago

                Packages

                  Version Package
                  6.1.X EE
                  6.2.X EE
                  7.0.0 Beta 3