From 0074062b5329c3d43679909fddce2d70608a4475 Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Fri, 15 Jun 2012 15:51:06 +0200 Subject: [PATCH] fixed xss vulnerability --- index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.php b/index.php index 5042ede2e2..4df62327c4 100644 --- a/index.php +++ b/index.php @@ -118,7 +118,7 @@ elseif(OC_User::isLoggedIn()) { if(!array_key_exists('sectoken', $_SESSION) || (array_key_exists('sectoken', $_SESSION) && is_null(OC::$REQUESTEDFILE)) || substr(OC::$REQUESTEDFILE, -3) == 'php'){ $sectoken=rand(1000000,9999999); $_SESSION['sectoken']=$sectoken; - $redirect_url = (isset($_REQUEST['redirect_url'])) ? $_REQUEST['redirect_url'] : $_SERVER['REQUEST_URI']; + $redirect_url = (isset($_REQUEST['redirect_url'])) ? strip_tags($_REQUEST['redirect_url']) : $_SERVER['REQUEST_URI']; OC_Template::printGuestPage('', 'login', array('error' => $error, 'sectoken' => $sectoken, 'redirect' => $redirect_url)); } }