[dev] Deprecated elements
Michael M Slusarz
slusarz at horde.org
Sat Mar 16 15:33:05 UTC 2013
Quoting Michael M Slusarz <slusarz at horde.org>:
> Quoting Chuck Hagenbuch <chuck at horde.org>:
>
>> go.php/Horde::externalUrl() is for making sure that session ids in
>> GET don't get passed to external sites. So unless I'm
>> misunderstanding, this is a separate thing.
>
> Maybe Im misreading go.php, but this doesn't seem to be the case.
> 80% of that script is dealing with looking at the target URL and
> displaying "Dangerous URL" if the target is the same server as the
> Horde installation. This to me screams "token protection".
Nevermind. The session referrer code is located in externalUrl().
But what I said about go.php still remains. We should most definitely
not be trying to do "suspicious URL" detection in there. The proper
way of protecting against this kind of attack is via tokens, which we
already provide at the framework level.
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the dev
mailing list