[dev] Deprecated elements
Chuck Hagenbuch
chuck at horde.org
Sat Mar 16 16:22:00 UTC 2013
Quoting Michael M Slusarz <slusarz at horde.org>:
> Quoting Michael M Slusarz <slusarz at horde.org>:
>
>> Quoting Chuck Hagenbuch <chuck at horde.org>:
>>
>>> go.php/Horde::externalUrl() is for making sure that session ids in
>>> GET don't get passed to external sites. So unless I'm
>>> misunderstanding, this is a separate thing.
>>
>> Maybe Im misreading go.php, but this doesn't seem to be the case.
>> 80% of that script is dealing with looking at the target URL and
>> displaying "Dangerous URL" if the target is the same server as the
>> Horde installation. This to me screams "token protection".
>
> Nevermind. The session referrer code is located in externalUrl().
>
> But what I said about go.php still remains. We should most
> definitely not be trying to do "suspicious URL" detection in there.
> The proper way of protecting against this kind of attack is via
> tokens, which we already provide at the framework level.
Definitely agree there. That suspicious URL code is very very old.
-chuck
More information about the dev
mailing list