Merge pull request #61 from silverstripe-security/pulls/4.0/ss-2018-008

[ss-2018-008] Validate against malformed urls
This commit is contained in:
Robbie Averill 2018-05-14 17:07:09 +12:00 committed by GitHub
commit 39b62e5fbb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 6 deletions

View File

@ -728,13 +728,26 @@ class Director implements TemplateGlobalProvider
*/ */
public static function is_site_url($url) public static function is_site_url($url)
{ {
$urlHost = parse_url($url, PHP_URL_HOST); $parsedURL = parse_url($url);
$actualHost = parse_url(self::protocolAndHost(), PHP_URL_HOST);
if ($urlHost && $actualHost && $urlHost == $actualHost) { // Validate user (disallow slashes)
return true; if (!empty($parsedURL['user']) && strstr($parsedURL['user'], '\\')) {
} else { return false;
return self::is_relative_url($url);
} }
if (!empty($parsedURL['pass']) && strstr($parsedURL['pass'], '\\')) {
return false;
}
// Validate host[:port]
$actualHost = parse_url(self::protocolAndHost(), PHP_URL_HOST);
if (!empty($parsedURL['host'])
&& $actualHost
&& $parsedURL['host'] === $actualHost
) {
return true;
}
return self::is_relative_url($url);
} }
/** /**

View File

@ -380,6 +380,10 @@ class DirectorTest extends SapphireTest
$this->assertFalse(Director::is_site_url("http://test.com?url=" . Director::absoluteBaseURL())); $this->assertFalse(Director::is_site_url("http://test.com?url=" . Director::absoluteBaseURL()));
$this->assertFalse(Director::is_site_url("http://test.com?url=" . urlencode(Director::absoluteBaseURL()))); $this->assertFalse(Director::is_site_url("http://test.com?url=" . urlencode(Director::absoluteBaseURL())));
$this->assertFalse(Director::is_site_url("//test.com?url=" . Director::absoluteBaseURL())); $this->assertFalse(Director::is_site_url("//test.com?url=" . Director::absoluteBaseURL()));
$this->assertFalse(Director::is_site_url('http://google.com\@test.com'));
$this->assertFalse(Director::is_site_url('http://google.com/@test.com'));
$this->assertFalse(Director::is_site_url('http://google.com:pass\@test.com'));
$this->assertFalse(Director::is_site_url('http://google.com:pass/@test.com'));
} }
/** /**