Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-20156

eZ Comments - Full URL in "RedirectURI" blocked by security rules

    XMLWordPrintable

Details

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: High High
    • Customer request
    • None
    • None
    • None

    • eZ Publish 4.7 (eZ Demo) + eZ Comments 1.4

    Description

      The eZ Comments extension includes a full URL on the "RedirectURI" parameter on the generated POST requests e.g.

      /fre/comment/add|ContentObjectID=5060&CommentLanguageCode=fre-FR&RedirectURI=http://www-pp.dircomaxafrance.intraxa/fre/TEST-FLM#lastcomment&CommentParentCommentID=0&CommentName=&CommentEmail=&CommentContent=&CommentRememberme=1&AddCommentButton=Ajouter+un+commentaireurl'

      The "RedirectURI" parameter should not include the full URL (including http://www-pp.dircomaxafrance.intraxa), only the relative URI. As it is, comments can be blocked by tight security rules, even though this poses no security risks.

      Steps to Reproduce

      1. Install eZ Publish eZ Demo, which already includes the eZ Comments 1.4;
      2. OPen firebug;
      3. Create a new comment on an existing blog post;
      4. Firebug (Firebug->Net->All->Post->Source) will list the following:

      /fre/comment/add|ContentObjectID=5060&CommentLanguageCode=fre-FR&RedirectURI=http://www-pp.dircomaxafrance.intraxa/fre/TEST-FLM#lastcomment&CommentParentCommentID=0&CommentName=&CommentEmail=&CommentContent=&CommentRememberme=1&AddCommentButton=Ajouter+un+commentaireurl'

      Attachments

        Activity

          People

            Unassigned Unassigned
            nuno.oliveira-obsolete@ez.no Nuno Oliveira (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: