Merge pull request #3080 from owncloud/validate_redirect_mast
Disallow URLs containing a @
This commit is contained in:
commit
9dde43db57
|
@ -631,8 +631,13 @@ class OC {
|
||||||
// Handle redirect URL for logged in users
|
// Handle redirect URL for logged in users
|
||||||
if (isset($_REQUEST['redirect_url']) && OC_User::isLoggedIn()) {
|
if (isset($_REQUEST['redirect_url']) && OC_User::isLoggedIn()) {
|
||||||
$location = OC_Helper::makeURLAbsolute(urldecode($_REQUEST['redirect_url']));
|
$location = OC_Helper::makeURLAbsolute(urldecode($_REQUEST['redirect_url']));
|
||||||
header('Location: ' . $location);
|
|
||||||
return;
|
// Deny the redirect if the URL contains a @
|
||||||
|
// This prevents unvalidated redirects like ?redirect_url=:user@domain.com
|
||||||
|
if (strpos($location, '@') === FALSE) {
|
||||||
|
header('Location: ' . $location);
|
||||||
|
return;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
// Handle WebDAV
|
// Handle WebDAV
|
||||||
if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') {
|
if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') {
|
||||||
|
|
Loading…
Reference in New Issue