Hello folks

A customer requested to remove an apparently security issue, caused by globalredirect in the way it handles the request to translate node/xx to the human URL inside Drupal.

Well this treatment generates a problem with requests like this http://www.domain.com/?q=http://domain2.com, redirecting the customer to http://domain.com website.

To avoid this behavior I did a little path for the module file to disable this option and return a page not found.

Please consider enabling this option in next release or enable as configuration value.

Regards,

enzo

CommentFileSizeAuthor
globalredirect-disable-external-url.patch655 bytes-enzo-

Comments

karengrey’s picture

I recently found out this security flaw as well and have had to turn off the module to stop it from happening.

I will take a look at your patch to see if it works for me,

This needs to be fixed as its a HUGE security flaw!!

mcrittenden’s picture

Sub.

hoporr’s picture

+1.

This is a pretty serious issue for content spoofing. Please put this patch into the main release.

mlefevre’s picture

This seems to be the same issue as #768244: Non-clean to Clean allows external redirect

dave reid’s picture

Status: Needs review » Closed (duplicate)