Disallow URLs containing a @

This commit is contained in:
Lukas Reschke 2013-04-23 00:26:40 +03:00
parent 4af4a5bd98
commit 6e78c4fcc0
1 changed files with 7 additions and 2 deletions

View File

@ -631,8 +631,13 @@ class OC {
// Handle redirect URL for logged in users // Handle redirect URL for logged in users
if (isset($_REQUEST['redirect_url']) && OC_User::isLoggedIn()) { if (isset($_REQUEST['redirect_url']) && OC_User::isLoggedIn()) {
$location = OC_Helper::makeURLAbsolute(urldecode($_REQUEST['redirect_url'])); $location = OC_Helper::makeURLAbsolute(urldecode($_REQUEST['redirect_url']));
header('Location: ' . $location);
return; // Deny the redirect if the URL contains a @
// This prevents unvalidated redirects like ?redirect_url=:user@domain.com
if (strpos($location, '@') === FALSE) {
header('Location: ' . $location);
return;
}
} }
// Handle WebDAV // Handle WebDAV
if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') { if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') {