RFC 2616 requires an absolute URI in the "Location" header field. So if someone calls "ns_returnredire…
Show more
Added support for relative redirectsRFC 2616 requires an absolute URI in the "Location" header field. Soif someone calls "ns_returnredirect /", NaviServer transforms it onthe fly into an absolute URL by prefixing it with the location(e.g. https://openacs.org/). NaviServer (and OpenACS) has some complexcode to compute the location value, especially when virtual serversare involved (or for "host-node mapped" subsites in OpenACS). Thesituation is further complicated when running behind a reverse proxyand/or in a containerized environment. In such cases, the location iscomputed from the "host" request header field, which must bevalidated, otherwise an attacker could hijack a session and redirectit to a spoofed site.The situation changed 10 years ago (June 2014) with the introductionof RFC 7231, which allows relative redirects (seehttps://www.rfc-editor.org/rfc/rfc7231#section-7.1.2). Using relativeredirects greatly simplifies configuration and closes the attackvector using the host header field. RFC 7231 has been superseded byRFC 9110 (June 2022), which also supports relative redirects via the"location" response header field (seehttps://www.rfc-editor.org/rfc/rfc9110#field.location).Since OpenACS prefixed always the URL with a location, when itencounters are relative URL in a "ad_returnredirect", this changemakes use of the new feature of NaviServer 5.Make sure to use a current version of NaviServer, where the supportwas added recently.
Show less
