Skip to content

A potential security risk #843

Description

@Fushuling

Hello opencms-core development team,
I've noticed a potential security vulnerability in this project. I understand that according to security.md, I should submit it through the Alkacon online website. However, I've noticed that the problematic code isn't actually called within the project; it only takes effect when a custom JSP explicitly calls the function. Therefore, I believe this is more of a security enhancement than a vulnerability, so I'm submitting an issue directly.

On the JSP login page, the project attempts to prevent open redirect attacks. The logic is to parse the URL using new URI, and if a scheme exists, it is considered an absolute path and blocked.

Image

This raises a problem: for URLs like //fushuling.com, Java does not parse out the schema.

import java.io.IOException;
import java.net.*;

public class test {
    public static void main(String[] args) throws URISyntaxException, IOException {
        String redirectUri = "//fushuling.com";
        try {
            URI uriObj = new URI(redirectUri);
            if (uriObj.getScheme() != null) {
                System.out.println("Absolute URL not allowed as redirect URI: " + redirectUri);
            }
        } catch (Exception e) {
            System.out.println("Invalid redirect URI");
        }
        System.out.println("Redirect URI: " + redirectUri);
    }
}
Image

However, during the actual browser redirection process, URLs like //fushuling.com will have their HTTP headers automatically completed and will be redirected to http://fushuling.com, thus bypassing the URL restriction here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions