Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-87063

Typos can result in no redirect protection

    XMLWordPrintable

    Details

      Description

      A typo when setting the value of the redirect.url.security.mode property can lead to a situation where there is no redirection protection at all.

      1. Add the following to your portal-ext.properties 
        redirect.url.security.mode=domainZ
redirect.url.domains.allowed=localhost
      2. Go to http://localhost:8080/c/portal/login?redirect=http://www.example.com
      3. Sign in

      Result
      User is redirected to example.com
      Expected Result
      Since the security mode is invalid, the portal should fall back on using IP mode.

        Attachments

          Activity

            People

            Assignee:
            hong.zhao Hong Zhao (Inactive)
            Reporter:
            samuel.kong Samuel Kong
            Participants of an Issue:
            Recent user:
            Csaba Turcsan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              2 years, 48 weeks, 2 days ago

                Packages

                Version Package
                7.0.0 DXP FP68
                7.0.X
                7.1.10 DXP FP5
                7.1.10.1 SP1
                7.1.2 CE GA3
                7.1.X
                Master