-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 6.0.0
-
Component/s: None
-
Target Version/s:
-
Needs backport:No
-
Needs QA verification:No
-
Functional tests:Yes
-
Are the reproduction steps defined?:Yes and I used the same an in the description
Authentication using trees can handle a user defined URL parameter of "goto" which should define the successUrl once authentication succeeds. Since this parameter is user defined, it is open to abuse and needs to be validated. There currently is validation, but this needs to be confirmed with Functional Tests.