Skip to content

avoid bad url forging when contact logo from existing org #9073

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

avoid bad url forging when contact logo from existing org #9073

wants to merge 1 commit into from

Conversation

cmangeat
Copy link
Contributor

@cmangeat cmangeat commented Oct 15, 2025
edited
Loading

observed:
When displaying simple view, a bad url if forged (which can lead to session revocation at spring security level when anonymous).

wrong_forged_url

-> Have indeed to use ng-attr-xlink:href or ng-attr-href so to allow expression evalution in angular template for xlink:href.

So to have the logo correctly displayed:
-> If 'link' test for '../api/logos', have to href '../api/logos', not '../../images/harvesting'.

when logo available
when_logo_available

when logo not available
when_logo_not_available

Checklist

  • I have read the contribution guidelines
  • Good housekeeping of code, cleaning up comments, tests, and documentation
  • Clean commit history broken into understandable chucks, avoiding big commits with hundreds of files, cautious of reformatting and whitespace changes
  • Clean commit messages, longer verbose messages are encouraged

jahow
jahow reviewed Oct 15, 2025
View reviewed changes
Copy link
Member

@jahow jahow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please do not use backticks (`) as they are part of ES5 and as such not compatible with the JavaScript tooling in GeoNetwork, thanks!

@cmangeat cmangeat force-pushed the avoid_wrong_forged_url branch from a956c06 to c78d4f0 Compare October 15, 2025 10:57
@cmangeat
Copy link
Contributor Author

Please do not use backticks (`) as they are part of ES5 and as such not compatible with the JavaScript tooling in GeoNetwork, thanks!

done, thanks.

@cmangeat cmangeat marked this pull request as ready for review October 15, 2025 11:28
jahow
jahow approved these changes Oct 16, 2025
View reviewed changes
Copy link
Member

@jahow jahow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good, just made a suggestion to simplify the code. Thanks!

@cmangeat
avoid bad url forging when contact logo from existing org
1550d20 
have to use ng-attr-href so to allow expression evalution in angular template for xlink:href.
if 'link' test for '../api/logos', have to href '../api/logos', not '../../images/harvesting'.
@cmangeat cmangeat force-pushed the avoid_wrong_forged_url branch from c78d4f0 to 1550d20 Compare October 17, 2025 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jahow jahow jahow approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cmangeat @jahow