Hello opencms-core development team,
I've noticed a potential security vulnerability in this project. I understand that according to security.md, I should submit it through the Alkacon online website. However, I've noticed that the problematic code isn't actually called within the project; it only takes effect when a custom JSP explicitly calls the function. Therefore, I believe this is more of a security enhancement than a vulnerability, so I'm submitting an issue directly.
On the JSP login page, the project attempts to prevent open redirect attacks. The logic is to parse the URL using new URI, and if a scheme exists, it is considered an absolute path and blocked.
This raises a problem: for URLs like //fushuling.com, Java does not parse out the schema.
import java.io.IOException;
import java.net.*;
public class test {
public static void main(String[] args) throws URISyntaxException, IOException {
String redirectUri = "//fushuling.com";
try {
URI uriObj = new URI(redirectUri);
if (uriObj.getScheme() != null) {
System.out.println("Absolute URL not allowed as redirect URI: " + redirectUri);
}
} catch (Exception e) {
System.out.println("Invalid redirect URI");
}
System.out.println("Redirect URI: " + redirectUri);
}
}
However, during the actual browser redirection process, URLs like //fushuling.com will have their HTTP headers automatically completed and will be redirected to http://fushuling.com, thus bypassing the URL restriction here.
Hello opencms-core development team,
I've noticed a potential security vulnerability in this project. I understand that according to
security.md, I should submit it through the Alkacon online website. However, I've noticed that the problematic code isn't actually called within the project; it only takes effect when a custom JSP explicitly calls the function. Therefore, I believe this is more of a security enhancement than a vulnerability, so I'm submitting an issue directly.On the JSP login page, the project attempts to prevent open redirect attacks. The logic is to parse the URL using
new URI, and if a scheme exists, it is considered an absolute path and blocked.This raises a problem: for URLs like
//fushuling.com, Java does not parse out the schema.However, during the actual browser redirection process, URLs like
//fushuling.comwill have their HTTP headers automatically completed and will be redirected tohttp://fushuling.com, thus bypassing the URL restriction here.