Bug #19240
closed
Avoid open redirect in login process
Description
Add config option to allow redirect-with-token to http[s]://ipaddr:port/ where ipaddr is in one of the reserved private IP ranges ("not recommended for production")
Updated by Peter Amstutz almost 2 years ago
- Target version changed from 2022-07-20 to 2022-08-03 Sprint
Updated by Peter Amstutz almost 2 years ago
- Target version changed from 2022-08-03 Sprint to 2022-08-17 sprint
Updated by Peter Amstutz over 1 year ago
- Target version changed from 2022-08-17 sprint to 2022-08-31 sprint
Updated by Peter Amstutz over 1 year ago
- Target version changed from 2022-08-31 sprint to 2022-09-28 sprint
Updated by Peter Amstutz over 1 year ago
- Target version changed from 2022-09-28 sprint to 2022-10-12 sprint
Updated by Peter Amstutz over 1 year ago
- Target version changed from 2022-10-12 sprint to 2022-10-26 sprint
Updated by Peter Amstutz over 1 year ago
- Target version changed from 2022-10-26 sprint to 2022-11-09 sprint
Updated by Tom Clegg over 1 year ago
- Status changed from New to In Progress
19240-check-redirect @ 21c7799069b13380913d0dfdd9ecc441d3af7298 -- developer-run-tests: #3354
Updated by Tom Clegg over 1 year ago
With upgrade note:
19240-check-redirect @ ff779b9f1306420462ec5898424188c88bb927a9
Updated by Lucas Di Pentima over 1 year ago
The code LGTM. There's just one suggestion:
- In
LoginClusterfederations, the admin need to list the satellite cluster's URLs, so I think we would need one of two things:- The easiest: Add a note about that on the upgrade notes.
- The fancier: Make
controllerdiscover the URLs, as it doesn't make sense to avoid logins on a LoginCluster.
The "fancier" may have some edge cases, like periodically polling for URL changes, and error handling, so the "easiest" alternative is fine with me, it would just add some burden to the admins
Updated by Lucas Di Pentima over 1 year ago
Addendum: I did read the added upgrade notes, but I think it would be nice to explicitly say that LoginCluster federations also need this config update.
Updated by Tom Clegg over 1 year ago
Good point. Added a bit to call out the federation case specifically.
Agree automatically recognizing remote clusters' URLs would be better, but I think we can call that an additional feature...? (We're already relying on adding these manually. I updated the relevant bits of the federation docs to a) remind to add wb2 as well as wb1 and b) use proper example domains like cluster2.example instead of cluster2.com)
19240-check-redirect @ 710dc7f830f65232389cf191028edfdfe4cefe77
Updated by Tom Clegg over 1 year ago
- Status changed from In Progress to Resolved
Applied in changeset arvados|e2149a153e3432c24320b7574934a5f1f4040df7.