tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-01 05:39:10 +02:00
Code Issues Projects Releases Wiki Activity

BUG Fix malformed urls redirecting to external sites

Browse Source
This commit is contained in:
Damian Mooyman 2015-05-25 12:38:34 +12:00
parent 79cfa2bb64
commit 22a35e48a9
4 changed files with 18 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
control/Controller.php
View File

@ -509,6 +509,7 @@ class Controller extends RequestHandler implements TemplateGlobalProvider {
// absolute redirection URLs not located on this site may cause phishing // absolute redirection URLs not located on this site may cause phishing
if(Director::is_site_url($url)) { if(Director::is_site_url($url)) {
$url = Director::absoluteURL($url);
return $this->redirect($url); return $this->redirect($url);
} else { } else {
return false; return false;

1
forms/Form.php
View File

@ -432,6 +432,7 @@ class Form extends RequestHandler {
if(Director::is_site_url($pageURL)) { if(Director::is_site_url($pageURL)) {
// Remove existing pragmas // Remove existing pragmas
$pageURL = preg_replace('/(#.*)/', '', $pageURL); $pageURL = preg_replace('/(#.*)/', '', $pageURL);
$pageURL = Director::absoluteURL($pageURL);
return $this->controller->redirect($pageURL . '#' . $this->FormName()); return $this->controller->redirect($pageURL . '#' . $this->FormName());
} }
} }

6
security/ChangePasswordForm.php
View File

@ -108,12 +108,12 @@ class ChangePasswordForm extends Form {
$member->FailedLoginCount = null; $member->FailedLoginCount = null;
$member->write(); $member->write();
if (isset($_REQUEST['BackURL']) if (!empty($_REQUEST['BackURL'])
&& $_REQUEST['BackURL']
// absolute redirection URLs may cause spoofing // absolute redirection URLs may cause spoofing
&& Director::is_site_url($_REQUEST['BackURL']) && Director::is_site_url($_REQUEST['BackURL'])
) { ) {
return $this->controller->redirect($_REQUEST['BackURL']); $url = Director::absoluteURL($_REQUEST['BackURL']);
return $this->controller->redirect($url);
} }
else { else {
// Redirect to default location - the login form saying "You are logged in as..." // Redirect to default location - the login form saying "You are logged in as..."

23
security/MemberLoginForm.php
View File

@ -190,7 +190,7 @@ JS;
* ) * )
* *
* @param array $data * @param array $data
* @return void * @return SS_HTTPResponse
*/ */
protected function logInUserAndRedirect($data) { protected function logInUserAndRedirect($data) {
Session::clear('SessionForms.MemberLoginForm.Email'); Session::clear('SessionForms.MemberLoginForm.Email');
@ -209,18 +209,21 @@ JS;
} }
// Absolute redirection URLs may cause spoofing // Absolute redirection URLs may cause spoofing
if(isset($_REQUEST['BackURL']) && $_REQUEST['BackURL'] && Director::is_site_url($_REQUEST['BackURL']) ) { if(!empty($_REQUEST['BackURL'])) {
return $this->controller->redirect($_REQUEST['BackURL']); $url = $_REQUEST['BackURL'];
} if(Director::is_site_url($url) ) {
$url = Director::absoluteURL($url);
// Spoofing attack, redirect to homepage instead of spoofing url } else {
if(isset($_REQUEST['BackURL']) && $_REQUEST['BackURL'] && !Director::is_site_url($_REQUEST['BackURL'])) { // Spoofing attack, redirect to homepage instead of spoofing url
return $this->controller->redirect(Director::absoluteBaseURL()); $url = Director::absoluteBaseURL();
}
return $this->controller->redirect($url);
} }
// If a default login dest has been set, redirect to that. // If a default login dest has been set, redirect to that.
if (Security::config()->default_login_dest) { if ($url = Security::config()->default_login_dest) {
return $this->controller->redirect(Director::absoluteBaseURL() . Security::config()->default_login_dest); $url = Controller::join_links(Director::absoluteBaseURL(), $url);
return $this->controller->redirect($url);
} }
// Redirect the user to the page where they came from // Redirect the user to the page where they came from