- Issue created by @morgannc
- 🇷🇪Réunion morgannc La Réunion
morgannc → changed the visibility of the branch 3456271-security-flaw-allowing to hidden.
- Status changed to Needs review
6 months ago 3:38pm 21 June 2024 - Status changed to Needs work
6 months ago 6:23pm 6 July 2024 - 🇮🇹Italy kopeboy Milan
Doesn't disabling the destination defeat the purpose of this module?
Isn't just redirecting to the original url request (without the path alias) enough, and would that be possible to implement?Also, I believe this security suggestion is better handled by the famous
redirect
module, which has an option to:Check access to the redirected page
This helps to stop redirection on protected pages and avoids giving away secret URL's. By default this feature is disabled to avoid any unexpected behaviorNevertheless, I applied your patch and it works fine! Although I would say, for better backwards compatibility, the default option should be to enable the Allow destination checkbox you added!
Thank you