[dancer-users] New release of DPAE with return_url fixes

Andrew Beverley andy at andybev.com
Wed Dec 19 08:17:54 GMT 2018

Dear all,

I have just released a new version of Dancer2::Plugin::Auth::Extensible.

This contains a number of changes to the return_url functionality
(forwarding to a URL after login). In particular:

- It fixes a medium-level security vulnerability, whereby return_url
could be used for Open URL Redirection attacks[1] with links such
as /login?return_url=http://news.bbc.co.uk/

- It fixes a problem with apps mounted on paths where the path was
included twice (GH 82 & 74)

I've tested fairly thoroughly and I don't think I've broken anything,
but let me know if you experience any problems.



[1] https://portswigger.net/kb/issues/00500100_open-redirection-reflected

More information about the dancer-users mailing list