Ticket #2933 (closed defect: fixed)

Opened 10 months ago

Last modified 9 months ago

Non-trac based bounce

Reported by: bettse Assigned to: bettse
Priority: major Milestone: 1.1
Component: Elgg Version:
Keywords: Cc:

Description (Last modified by bettse)

Previously we were using a modification to trac to do our SSO redirection. The following mod_rewrite has been put into elgg's .htaccess and can accomplish the same task and moves us further away from having trac core modifications. It order to use this version, a SSO manager (one of the BS founding members) needs to login to the SSO administration panel and change the URL use for redirection. The only hold up on making this live is having a time when a couple fellow devs can help test it and make sure it doesn't break anything else or itself.

We'll do this using a simple php page that catches the bounce= and redirects based on that (once the elgg module has been corrected to provide a bounce=)

Change History

01/21/09 11:28:19 changed by bettse

this is a moot ticket until we fix #2935 and fix the bounce url being provided to SSO and thus back to us.

01/21/09 11:33:31 changed by hopsonro

You shouldn't do this - it's an open redirect to any user-supplied URL.

I don't know if mod_rewrite has sufficient mojo to catch all tricks that can sneak a domain through a simple check:

RewriteCond? %{QUERY_STRING} bounce=http://beaversource.oregonstate.edu

doesn't necessarily work, because there are attacks that embed the domain as the "username" part of the http request (others as well, this is a simple example):

bounce=http://beaversource.oregonstate.edu@onidphishing.com

I don't know what the 100% solution is, but would advise you to do the redirection in code (not necessarily trac) and not using mod_rewrite, so it's trivial to fix if a problem shows up.

01/21/09 13:11:43 changed by bettse

  • milestone set to 1.1.

01/22/09 13:47:33 changed by bettse

(In [189]) re #2933 As per hopson's security comment, i'm removing the mod_rewrite based version and we'll code up a simple php page to handle this. (At the time of putting the code into trac, we didn't have a social side or any php components with which to do this).

01/22/09 13:48:52 changed by bettse

  • description changed.

01/28/09 22:39:52 changed by cedenoj

(In [208]) refs #2827 , #3026 , #2890 , #2935 , #2985, #2933 , #2887 , #3935, #2929 , #2931 Creating new tag

02/10/09 21:22:50 changed by bettse

  • summary changed from use new mod_rewrite based ?bounce= to Non-trac based bounce.

My proposed script for bounce is:

bounce.php 

<?php

if($_REQUEST){
    foreach ($_REQUEST as $key => $value) {
        if($key == "bounce"){
            header('Location: http://' . $_SERVER['SERVER_NAME'] . $value);
        }
    }

}

?>

02/11/09 13:57:35 changed by bettse

(In [212]) re #2933

checking of the bounce script that SSO will point to

02/22/09 17:02:08 changed by cedenoj

(In [230]) refs #2674, #2933, #3041, #3043, #3068, #2675, #2677 Creating a new tag, the tickets above are the ones fixed in this tag.

02/24/09 21:20:02 changed by bettse

  • status changed from new to closed.
  • resolution set to fixed.