? Failure

User tests: Successful: Unsuccessful:

avatar thomaslanger
thomaslanger
21 Jul 2016

Pull Request for Issue #11093 .

Summary of Changes

Redirect to default menu item if $return is empty or to any other address on the server e.g. custom scripts. Not only joomla internal. Works also with other logout component like com_quicklogout.

Testing Instructions

  1. created a user menu with a menu item Logout.
  2. set the Logout menu item to redirect to the Homepage menu item.
  3. click logout

Votes

# of Users Experiencing Issue
1/1
Average Importance Score
5.00

avatar thomaslanger thomaslanger - open - 21 Jul 2016
avatar thomaslanger thomaslanger - change - 21 Jul 2016
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 21 Jul 2016
Category Front End Components
avatar joomla-cms-bot joomla-cms-bot - change - 21 Jul 2016
Labels Added: ?
avatar killoltailored
killoltailored - comment - 21 Jul 2016

@thomaslanger I have test this PR and follow your testing instruction without applying PR
1) create Menu Item logout, set "Logout Redirection Page" default
2) Login in front-end and go to "Submit an article" and click on "Logout" button
3) It's redirect to home page by default
Then test again with applying PR and same thing happen with this applying PR
Is it right behavior of this PR?


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11227.

avatar bertmert
bertmert - comment - 21 Jul 2016

@killoltailored
I think it's meant like this: After patch is applied you can use external URLs as redirection target, too.
(Just code review. Not tested.)

avatar mbabker
mbabker - comment - 21 Jul 2016

There was a very purposeful security patch addressing open redirect vulnerabilities applied previously...

avatar killoltailored
killoltailored - comment - 21 Jul 2016

I have created menu time with external url but that menu time is disabled in "Logout Redirection Page" drop-down list after applying PR


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11227.

avatar RoterNagel
RoterNagel - comment - 21 Jul 2016

@killoltailored it is not about the menu type "external link". Your are able to set the URL in a custom script. For example you use the com_quicklogout: your are able to redirect from a subdomain (where your current Joomla installation maybe is) to the domain itself.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11227.

avatar thomaslanger
thomaslanger - comment - 21 Jul 2016

i try to block external URLs by using PHPs parse_url() function. Ok, possibly not perfect. On aspect was to allow a Logout Component use joomla logout function an redirect to a custom script on the same server.
Example:
A joomla installation on a sub domain. Logout redirect to an custom script who redirect to the main domain.
Currently ther is no Joomla way to place the custom script adress in menue settings. This is ok. So the normal User can not simple redirect to external url.

avatar brianteeman
brianteeman - comment - 3 Aug 2016

Thanks for this proposal but I am closing it for the security purposes mentioned by @mbabker above


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11227.

avatar brianteeman brianteeman - change - 3 Aug 2016
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2016-08-03 19:50:29
Closed_By brianteeman
avatar brianteeman brianteeman - close - 3 Aug 2016

Add a Comment

Login with GitHub to post a comment