Bug #91396

Updated by Oliver Hader 7 months ago

Scenario 

 * https://sso.example.org/auth used to authenticate 
 * https://example.org/?eID=auth used for session transfer/activation (or similar technique, invoking a "callback") 
 ** request header @Referer: https://sso.example.org/auth@ 
 ** response header @Location: https://example.org/typo3/@ 
 * https://example.org/typo3/ as redirect 
 ** request header @Referer: https://sso.example.org/auth@ (still the external SSO, since redirected via @Location:@ headers) 
 ** response header @Location: http://example/typo3/index.php?route=%2Fmain&token=1ed543d6ba3594722a69a1969abc15046631d7a5@ 
 * http://example/typo3/index.php?route=%2Fmain&token=1ed543d6ba3594722a69a1969abc15046631d7a5 checking the referrer 
 ** request header @Referer: https://sso.example.org/auth@ (still the external SSO, since redirected via @Location:@ headers) 

 Observation 

 * request is actually correct 
 * referrer is send - but with something "external" from @/typo3/@ (that the subject we want and must protect from being called *directly*) 

 Variations 

 * cross-site 
 ** @Referer: https://sso.example.org/auth@ 
 ** expected @Referer: https://example.org/typo3/.+@ 
 * same-site 
 ** @Referer: https://example.org/?eID=auth@ 
 ** expected @Referer: https://example.org/typo3/.+@ 
 * same-origin (the regular case) 
 ** @Referer: https://example.org/typo3/index.php?route=%2Flogin@ 
 ** expected @Referer: https://example.org/typo3/.+@

Back