minor #7056 Warn user about open redirects (pascaldevink, javiereguiluz)

xabbuh · xabbuh · commit bb3145064dd2 · 2016-11-22T21:25:31.000+01:00
This PR was submitted for the master branch but it was merged into the 2.7 branch instead (closes #7056). Discussion ---------- Warn user about open redirects The `redirect()` method is open to open redirects if user input is directly passed as parameter. This is of course as intended, and most people would know directly passing user input is never wise, but I think that warning developers can not be done enough. I hope this message is clear, but please let me know of any better wording or if the `tip` context is the right one to use here. Commits ------- 8f77746 Reworded the caution about open redirects 4a4a5fa Warn user about open redirects
diff --git a/controller.rst b/controller.rst
@@ -186,6 +186,13 @@ and ``redirect()`` methods::
 
 For more information, see the :doc:`Routing chapter </routing>`.
 
+.. caution::
+
+    The ``redirect()`` method does not check its destination in any way. If you 
+    redirect to some URL provided by the end-users, your application may be open 
+    to the `unvalidated redirects security vulnerability`_.
+
+
 .. tip::
 
     The ``redirectToRoute()`` method is simply a shortcut that creates a
@@ -563,3 +570,5 @@ Learn more about Controllers
     :glob:
 
     controller/*
+
+.. _`unvalidated redirects security vulnerability`: https://www.owasp.org/index.php/Open_redirect
