Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-24881

Exclude url wildcards on the allowed redirect hosts check

    Details

      Description

      In legacy, there is a check that allows redirects only to hosts defined (whitelisted) in the site.ini. It was introduced in the following commit: https://github.com/ezsystems/ezpublish-legacy/commit/63ac69894d3542d7e907a6f4f556f8b368637f11.
      This improvement aims at allowing redirection to hosts defined using Wildcard URL Aliases without explicitly whitelisting them in the configuration.

      Original ticket description:

      If a redirect is comming of the url wirldcards module, you don't have to check the host. This is too much effort to put every host also into the site.ini.

      Based on this commit we would like an improvement for excluding url wildcards out of this, if it's the case. Something like this (but we still don't have an idea where is the better position to check if the redirect is from url wildcard module, in this case the variable $fromUrlWildcardModule):

               if ( strlen( $originalURI ) != 0 and
                    strlen( $uri ) == 0 )
                   $uri = '/';
       
              $urlComponents = parse_url( $uri );
              if ( isset( $urlComponents['host'] ) && $urlComponents['host'] !== eZSys::hostname() )
              {
      // +++++++++HERE IS THE WORKAROUND
      +            if (!$fromUrlWildcardModule) {
                      $allowedHosts = $this->getAllowedRedirectHosts();
                      if ( !isset( $allowedHosts[$urlComponents['host']] ) )
                      {
                          // Non-authorized host, return only the URI (without host) + query string and fragment if present.
                          eZDebug::writeError( "Redirection requested on non-authorized host '{$urlComponents['host']}'" );
                          header( $_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden' );
                          echo "Redirection requested on non-authorized host";
                          eZDB::checkTransactionCounter();
                          eZExecution::cleanExit();
      +                }
      // +++++++++} // END
              }
      

      Thanks in advance.

        Issue Links

          Activity

          Hide
          Kristina Ebel added a comment -

          Hey guys,

          is there anything new in this issue?

          Thanks

          Show
          Kristina Ebel added a comment - Hey guys, is there anything new in this issue? Thanks

            People

            • Assignee:
              Unassigned
              Reporter:
              Ricardo Correia (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: