RFC 2616 requires an absolute URI in the "Location" header field. So if someone calls "ns_returnredirect /", NaviServer transforms it on the fly into an absolute URL by prefixing it with the location (e.g. https://openacs.org/). NaviServer (and OpenACS) has some complex code to compute the location value, especially when virtual servers are involved (or for "host-node mapped" subsites in OpenACS). The situation is further complicated when running behind a reverse proxy and/or in a containerized environment. In such cases, the location is computed from the "host" request header field, which must be validated, otherwise an attacker could hijack a session and redirect it to a spoofed site.
The situation changed 10 years ago (June 2014) with the introduction of RFC 7231, which allows relative redirects (see https://www.rfc-editor.org/rfc/rfc7231#section-7.1.2). Using relative redirects greatly simplifies configuration and closes the attack vector using the host header field. RFC 7231 has been superseded by RFC 9110 (June 2022), which also supports relative redirects via the "location" response header field (see https://www.rfc-editor.org/rfc/rfc9110#field.location).
Since OpenACS prefixed always the URL with a location, when it encounters are relative URL in a "ad_returnredirect", this change makes use of the new feature of NaviServer 5.
Make sure to use a current version of NaviServer, where the support was added recently.
Loading ...