From eed355b798ec77ed8b67555087fc5866b522c5fc Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 10 Apr 2015 18:02:58 +0200 Subject: [ticket/security-180] Check if redirect URL contains board URL SECURITY-180 --- phpBB/includes/functions.php | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index f0657b9016..f79a0a9e52 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2579,6 +2579,12 @@ function redirect($url, $return = false, $disable_cd_check = false) } } + // Make sure we don't redirect to external URLs + if (!$disable_cd_check && strpos($url, generate_board_url(true)) !== 0) + { + trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR); + } + // Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2 if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false) { -- cgit v1.2.1 From bca1b96b2e9235bbb4a3e7a104dd79e7f3761679 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 11 Apr 2015 16:41:20 +0200 Subject: [ticket/security-180] Make sure that redirect goes to full URL plus slash SECURITY-180 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index f79a0a9e52..a6a98954de 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2580,7 +2580,7 @@ function redirect($url, $return = false, $disable_cd_check = false) } // Make sure we don't redirect to external URLs - if (!$disable_cd_check && strpos($url, generate_board_url(true)) !== 0) + if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0) { trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR); } -- cgit v1.2.1 From ee658bfe7bd284573d199c3c2a76007c5509695d Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Sat, 11 Apr 2015 17:08:28 +0200 Subject: [ticket/security-180] Always fail when redirecting to an insecure URL SECURITY-180 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index a6a98954de..f2bc63cf23 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2492,7 +2492,7 @@ function redirect($url, $return = false, $disable_cd_check = false) // Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work) if (!$disable_cd_check && $url_parts['host'] !== $user->host) { - $url = generate_board_url(); + trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR); } } else if ($url[0] == '/') -- cgit v1.2.1