_next security flaw?

[PN]

The _next variable allows redirecting the user to an arbitrary URI, exposing a potential security flaw. One of my company's web2py apps was tagged as having this issue in a routine 3rd party scan. I am fixing this for the web2y we use by creating a whitelist feature, is this something I should contribute back? Not sure if this is a design philosophy difference or an oversight.

[Massimo DiPierro]

Actually no. In recent version of web2py (for about 1 year) the _next parameter is validated and does not allow redirect to arbitrary URLs.

Specifically we have these defults:

        auth.settings.prevent_open_redirect_attacks=True,
        auth.settings.prevent_password_reset_attacks=True,

Anyway, if we missed some corner case, please let us know, privately (massimo....@gmail.com)

Massimo

On Jul 1, 2015, at 4:08 PM, PN <pal...@fielddiagnostics.com> wrote:

The _next variable allows redirecting the user to an arbitrary URI, exposing a potential security flaw. One of my company's web2py apps was tagged as having this issue in a routine 3rd party scan. I am fixing this for the web2y we use by creating a whitelist feature, is this something I should contribute back? Not sure if this is a design philosophy difference or an oversight.

--
-- mail from:GoogleGroups "web2py-developers" mailing list
make speech: web2py-d...@googlegroups.com
unsubscribe: web2py-develop...@googlegroups.com
details : http://groups.google.com/group/web2py-developers
the project: http://code.google.com/p/web2py/
official : http://www.web2py.com/
---
You received this message because you are subscribed to the Google Groups "web2py-developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py-develop...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[PN]

Emailed privately with Massimo. Pull request submitted.

[Massimo DiPierro]

Thank you very much! Nice clean fix.