Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-87063

Typos can result in no redirect protection

    XMLWordPrintable

    Details

      Description

      A typo when setting the value of the redirect.url.security.mode property can lead to a situation where there is no redirection protection at all.

      1. Add the following to your portal-ext.properties 
        redirect.url.security.mode=domainZ
redirect.url.domains.allowed=localhost
      2. Go to http://localhost:8080/c/portal/login?redirect=http://www.example.com
      3. Sign in

      Result
      User is redirected to example.com
      Expected Result
      Since the security mode is invalid, the portal should fall back on using IP mode.

        Attachments

          Activity

            People

            • Assignee:
              hong.zhao Hong Zhao
              Reporter:
              samuel.kong Samuel Kong
              Participants of an Issue:
              Recent user:
              Csaba Turcsan
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                43 weeks ago

                Packages

                Version Package
                7.0.0 DXP FP68
                7.0.X
                7.1.10 DXP FP5
                7.1.10.1 SP1
                7.1.2 CE GA3
                7.1.X
                Master