·
5 commits
to development
since this release
Security
- CRITICAL: Fixed open redirect vulnerability in
_securedURLhandling. ThesaveSecuredUrl()method now validates redirect URLs to ensure they belong to the same host as the current request, preventing attackers from crafting malicious URLs that redirect users to external sites after login. AddedisSafeRedirectUrl()validation usingjava.net.URIto compare hosts.
Fixed
- BOX-164 Allow Visualizer to show settings when firewall.logging not enabled
- JWT Handler improperly returns a value causing it to skip ColdBox's RestHandler's response formatting logic. This results in the entire response object being returned rather than just invoking getDataPacket()