User tests: Successful: Unsuccessful:
Pull Request for Issue #11093 .
Redirect to default menu item if $return is empty or to any other address on the server e.g. custom scripts. Not only joomla internal. Works also with other logout component like com_quicklogout.
Status | New | ⇒ | Pending |
Category | ⇒ | Front End Components |
Labels |
Added:
?
|
@killoltailored
I think it's meant like this: After patch is applied you can use external URLs as redirection target, too.
(Just code review. Not tested.)
There was a very purposeful security patch addressing open redirect vulnerabilities applied previously...
I have created menu time with external url but that menu time is disabled in "Logout Redirection Page" drop-down list after applying PR
@killoltailored it is not about the menu type "external link". Your are able to set the URL in a custom script. For example you use the com_quicklogout: your are able to redirect from a subdomain (where your current Joomla installation maybe is) to the domain itself.
i try to block external URLs by using PHPs parse_url() function. Ok, possibly not perfect. On aspect was to allow a Logout Component use joomla logout function an redirect to a custom script on the same server.
Example:
A joomla installation on a sub domain. Logout redirect to an custom script who redirect to the main domain.
Currently ther is no Joomla way to place the custom script adress in menue settings. This is ok. So the normal User can not simple redirect to external url.
Thanks for this proposal but I am closing it for the security purposes mentioned by @mbabker above
Status | Pending | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-08-03 19:50:29 |
Closed_By | ⇒ | brianteeman |
@thomaslanger I have test this PR and follow your testing instruction without applying PR
1) create Menu Item logout, set "Logout Redirection Page" default
2) Login in front-end and go to "Submit an article" and click on "Logout" button
3) It's redirect to home page by default
Then test again with applying PR and same thing happen with this applying PR
Is it right behavior of this PR?
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11227.