KARL3

Change the came_from to use a session variable

Bug #1135630 reported by Paul Everitt on 2013-02-28

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	KARL3	Fix Released	Medium	Chris Rossi	KARL3 m125 "Q1 2013"

Bug Description

Per discussion in email, Tres will take this out of the URL to avoid promoting a phishing attack. Possibly to include a whitelist of patterns that the came_from must match.

Revision history for this message

Tres Seaver (tseaver) wrote on 2013-03-04:

#1

We need to have the "business center" app developers tell us whether they are still using the karl.external_link_ticket authentication machinery, which would be broken by this change.

Revision history for this message

Tres Seaver (tseaver) wrote on 2013-03-11:

#2

Nat, can you please find out from Ajo (or somebody else) whether the business center apps still rely on KARL for authentication?

Changed in karl3:
assignee:	Tres Seaver (tseaver) → Nat Katin-Borland (nborland)
status:	New → Incomplete

Revision history for this message

Nat Katin-Borland (nborland) wrote on 2013-03-11:

#3

Hey Tres,

I'm working on getting this confirmation from Ajo and I'll pass along his answer as soon as I get it.

-Nat

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2013-03-26:

#4

Based on analysis from OSF, they do NOT have a need to redirect (came_from) to any URL outside of KARL. So we don't need a configurable whitelist.

Changed in karl3:
assignee:	Nat Katin-Borland (nborland) → Chris Rossi (chris-archimedeanco)
status:	Incomplete → Confirmed

Chris Rossi (chris-archimedeanco) on 2013-03-28

Changed in karl3:
status:	Confirmed → In Progress

Revision history for this message

Chris Rossi (chris-archimedeanco) wrote on 2013-03-28:

#5

Deployed on karldev: chrisrossi-1135630-came-from

Changed in karl3:
status:	In Progress → Fix Committed

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2013-04-01:

#6

Nat reviewed, said it is ready whenever we want to merge.

Revision history for this message

Tres Seaver (tseaver) wrote on 2013-04-01:

#7

This branch is now deployed to karlstaging (via the 'm125' integration branch).

Tres Seaver (tseaver) on 2013-04-02

Changed in karl3:
status:	Fix Committed → Fix Released

Revision history for this message

Duncan Booth (kupuguy) wrote on 2013-05-15:

#8

Unfortunately this fix breaks links stored in Microsoft Office.

If you try to follow a link to a Karl system from a Microsoft Office document, you get the following sequence of events:

Microsoft Office tries to retrieve the URL, but because Office is not logged in even if the browser is it gets a 302 response redirecting it to login.html (with the session cookie set). Microsoft Office then fetches the login.html page and gets a 200 response. It determines the content-type is not a Microsoft Office document type so it sends the login.html URL to the user's default browser.

The user's browser fetches the login page, performs any authentication necessary, but has its own session so there is no redirect to the source page.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.