-
Type:
Bug
-
Status: Closed
-
Resolution: Fixed
-
Affects Version/s: 7.0.X, 7.1.X, Master
-
Fix Version/s: 7.0.0 DXP FP68, 7.0.X, 7.1.10 DXP FP5, 7.1.10.1 SP1, 7.1.2 CE GA3, 7.1.X, Master
-
Component/s: Application Security
-
Branch Version/s:7.1.x, 7.0.x
-
Backported to Branch:Committed
-
Fix Priority:3
-
Git Pull Request:
A typo when setting the value of the redirect.url.security.mode property can lead to a situation where there is no redirection protection at all.
- Add the following to your portal-ext.properties
redirect.url.security.mode=domainZ redirect.url.domains.allowed=localhost
- Go to http://localhost:8080/c/portal/login?redirect=http://www.example.com
- Sign in
Result
User is redirected to example.com
Expected Result
Since the security mode is invalid, the portal should fall back on using IP mode.