From 0dbadbdceb61e5bafd6f5cff859c3b8fe0dd5520 Mon Sep 17 00:00:00 2001 From: Pascal de Vink Date: Mon, 3 Oct 2016 22:01:18 +0200 Subject: [PATCH 1/2] Warn user about open redirects --- controller.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/controller.rst b/controller.rst index e3d77fd9333..ad8721bf5b0 100644 --- a/controller.rst +++ b/controller.rst @@ -182,6 +182,14 @@ and ``redirect()`` methods:: For more information, see the :doc:`Routing chapter `. +.. tip:: + + The ``redirect()`` method does not check it's input. If you use user input + directly as it's parameter, you might open up your page to unvalidated + redirects and forwards, which is in the OWASP top 10 of web application + security flaws. For more information, see https://www.owasp.org/index.php/Open_redirect + + .. tip:: The ``redirectToRoute()`` method is simply a shortcut that creates a From b59d2209fb7c63feaa831c3a8c4b1480f5f9bd83 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Mon, 21 Nov 2016 11:03:10 +0100 Subject: [PATCH 2/2] Reworded the caution about open redirects --- controller.rst | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/controller.rst b/controller.rst index ad8721bf5b0..8a35379931a 100644 --- a/controller.rst +++ b/controller.rst @@ -182,12 +182,11 @@ and ``redirect()`` methods:: For more information, see the :doc:`Routing chapter `. -.. tip:: +.. caution:: - The ``redirect()`` method does not check it's input. If you use user input - directly as it's parameter, you might open up your page to unvalidated - redirects and forwards, which is in the OWASP top 10 of web application - security flaws. For more information, see https://www.owasp.org/index.php/Open_redirect + The ``redirect()`` method does not check its destination in any way. If you + redirect to some URL provided by the end-users, your application may be open + to the `unvalidated redirects security vulnerability`_. .. tip:: @@ -613,3 +612,5 @@ Learn more about Controllers :glob: controller/* + +.. _`unvalidated redirects security vulnerability`: https://www.owasp.org/index.php/Open_redirect