aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--phpBB/includes/functions.php6
-rw-r--r--tests/security/redirect_test.php3
2 files changed, 9 insertions, 0 deletions
diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index 4fdeb12d3a..0cf1ab0f24 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -2352,6 +2352,12 @@ function redirect($url, $return = false, $disable_cd_check = false)
trigger_error('INSECURE_REDIRECT', E_USER_ERROR);
}
+ // Make sure we don't redirect to external URLs
+ if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0)
+ {
+ trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR);
+ }
+
// Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2
if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false)
{
diff --git a/tests/security/redirect_test.php b/tests/security/redirect_test.php
index 21fb103ed1..0631365292 100644
--- a/tests/security/redirect_test.php
+++ b/tests/security/redirect_test.php
@@ -51,6 +51,9 @@ class phpbb_security_redirect_test extends phpbb_security_test_base
array('../index.php', false, false, 'http://localhost/index.php'),
array('../index.php', true, false, 'http://localhost/index.php'),
array('./index.php', false, false, 'http://localhost/phpBB/index.php'),
+ array('https://foobar.com\@http://localhost/phpBB', false, false, 'http://localhost/phpBB'),
+ array('https://foobar.com\@localhost/troll/http://localhost/', false, 'INSECURE_REDIRECT', false),
+ array('http://localhost.foobar.com\@localhost/troll/http://localhost/', false, 'INSECURE_REDIRECT', false),
);
}
generated by cgit v1.2.1 (git 2.21.0) at 2025-08-11 04:56:05 +0000