psam / django-postman / issues / #101 - Open redirect vulnerability within the "next" parameter — Bitbucket

Issue #101 resolved

Rémi Fat Cheung created an issue 2018-06-05

When viewing a message, just add the following ?next=//google.com to your url.

When clicking on the "back" link, or after the message is posted, the browser will be redirected to the link in the URL.

Not a major bug, but someone could eventually use that as a way to redirect visitors to a fishing website if they don't pay attention.

Comments (4)

Patrick Samson repo owner
- changed status to open
My proposal is to silently suppress the scheme part and domain part, if present.

That is: ?next=//elsewhere.com would be read as ?next= (so without effect), and ?next=http://elsewhere.com/page as ?next=/page.

Is it OK for you?
- 2018-06-18T12:06:33+00:00
Patrick Samson repo owner
- assigned issue to
  
  Patrick Samson
- 2018-06-18T12:07:17+00:00
Rémi Fat Cheung reporter
That sounds safer indeed.

Thanks!
- 2018-06-19T14:59:21+00:00
Patrick Samson repo owner
- changed status to resolved
Fixed in repository.
- 2018-06-26T17:26:38+00:00
Log in to comment

Assignee: Patrick Samson

Type: bug

Priority: minor

Status: resolved

Votes: 0

Watchers: 2

Jira: the preferred issue tracker for Bitbucket. Join the team!