[dancer-users] New release of DPAE with return_url fixes
Andrew Beverley
andy at andybev.com
Wed Dec 19 08:17:54 GMT 2018
Dear all,
I have just released a new version of Dancer2::Plugin::Auth::Extensible.
This contains a number of changes to the return_url functionality
(forwarding to a URL after login). In particular:
- It fixes a medium-level security vulnerability, whereby return_url
could be used for Open URL Redirection attacks[1] with links such
as /login?return_url=http://news.bbc.co.uk/
- It fixes a problem with apps mounted on paths where the path was
included twice (GH 82 & 74)
I've tested fairly thoroughly and I don't think I've broken anything,
but let me know if you experience any problems.
Regards,
Andy
[1] https://portswigger.net/kb/issues/00500100_open-redirection-reflected
More information about the dancer-users
mailing list