[Security: low] CAS 3.0 Logout does not validate redirect URL
When logging out with
/cas/logout?service=URL, the URL parameter is not validated.
See https://cwe.mitre.org/data/definitions/601.html for the reason why this is an issue
Additionnaly, the CAS specification recommends validating this parameter : https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol-Specification.html#231-parameters
lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-Logout-30.t is a way to reproduce the issue, since the target URL it uses isn't declared anywhere but accepted anyway.
CAS2.0 does not have this issue since its
url parameter is validated by
We should run the target
service= URL through
However, implementing this behavior would cause regressions for users who are currently using the CAS issuer without application access control, or who are sending users to some generic logout page.
Since disabling application access control already puts all LLNG users at risk of arbitrary redirects (through
/cas/login), it would make sense from a compatibility point of view to not do this proposed check if users have disabled application access controls on CAS.