Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block following redirects in logout #111

Merged
merged 2 commits into from
Jun 18, 2024
Merged

Block following redirects in logout #111

merged 2 commits into from
Jun 18, 2024

Conversation

sergei-maertens
Copy link
Member

@sergei-maertens
🧪 Add regression test for logout operation
a275b08 
When the logout operation response returns an HTTP 302,
it's possible this redirect causes crashes when they're
being followed/retrieved via requests. In it's simplest
case, a 404 could already cause problems.
@sergei-maertens
🐛 Do not follow redirect responses in logout calls
de6aa48 
Block following redirect responses from programmatically calling the
logout operation, for two reasons:

* they may be incomplete endpoints, e.g. the Redirect URI but without
  state parameter or token or anything, which would fail anyway. These
  can cause HTTP 500 errors in downstream projects (as seen in Open
  Forms).
* they can lead to SSRF issues if we don't validate the redirect target
  URL - a malicious/bad OpenID Provider could be a part of a larger
  chain of exploits
@sergei-maertens sergei-maertens requested review from stevenbal and vaszig and removed request for vaszig June 17, 2024 15:36
@stevenbal stevenbal merged commit 0145e61 into master Jun 18, 2024
8 checks passed
@stevenbal stevenbal deleted the issue/prevent-following-redirects-in-logout branch June 18, 2024 07:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevenbal stevenbal stevenbal approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Do not follow redirects on logout
2 participants
@sergei-maertens @stevenbal