[CKAN-Security] /util/redirect and referrer-based CSRF mitigation

• Next message: [CKAN-Security] /util/redirect and referrer-based CSRF mitigation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, folks.

As mentioned at https://github.com/ckan/ckan/issues/1419, the open redirect on /util/redirect is a concern because it allows attackers to bypass referrer checks. Which aren't a great defence against CSRF in the first place, of course, but they're the simplest to implement without touching the codebase.

Can anyone clarify whether this would restrict attackers to GET requests, or whether it would also allow forgery of referrer on cross-site POSTs?

Thrawn

• Next message: [CKAN-Security] /util/redirect and referrer-based CSRF mitigation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]