From eed355b798ec77ed8b67555087fc5866b522c5fc Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 10 Apr 2015 18:02:58 +0200 Subject: [ticket/security-180] Check if redirect URL contains board URL SECURITY-180 --- phpBB/includes/functions.php | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'phpBB/includes') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index f0657b9016..f79a0a9e52 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2579,6 +2579,12 @@ function redirect($url, $return = false, $disable_cd_check = false) } } + // Make sure we don't redirect to external URLs + if (!$disable_cd_check && strpos($url, generate_board_url(true)) !== 0) + { + trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR); + } + // Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2 if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false) { -- cgit v1.2.1 From bca1b96b2e9235bbb4a3e7a104dd79e7f3761679 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 11 Apr 2015 16:41:20 +0200 Subject: [ticket/security-180] Make sure that redirect goes to full URL plus slash SECURITY-180 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index f79a0a9e52..a6a98954de 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2580,7 +2580,7 @@ function redirect($url, $return = false, $disable_cd_check = false) } // Make sure we don't redirect to external URLs - if (!$disable_cd_check && strpos($url, generate_board_url(true)) !== 0) + if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0) { trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR); } -- cgit v1.2.1 From ee658bfe7bd284573d199c3c2a76007c5509695d Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Sat, 11 Apr 2015 17:08:28 +0200 Subject: [ticket/security-180] Always fail when redirecting to an insecure URL SECURITY-180 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index a6a98954de..f2bc63cf23 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2492,7 +2492,7 @@ function redirect($url, $return = false, $disable_cd_check = false) // Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work) if (!$disable_cd_check && $url_parts['host'] !== $user->host) { - $url = generate_board_url(); + trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR); } } else if ($url[0] == '/') -- cgit v1.2.1 From ec207d0a71ba2c15e7cdcb2b59acd93aaa011223 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 11 Apr 2015 16:48:57 +0200 Subject: [ticket/security-180] Merge if statement with previous one in 3.1.x SECURITY-180 --- phpBB/includes/functions.php | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'phpBB/includes') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 0cf1ab0f24..fcfed8b2a4 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2347,15 +2347,9 @@ function redirect($url, $return = false, $disable_cd_check = false) // Clean URL and check if we go outside the forum directory $url = $phpbb_path_helper->clean_url($url); - if (!$disable_cd_check && strpos($url, generate_board_url(true)) === false) - { - trigger_error('INSECURE_REDIRECT', E_USER_ERROR); - } - - // Make sure we don't redirect to external URLs if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0) { - trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR); + trigger_error('INSECURE_REDIRECT', E_USER_ERROR); } // Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2 -- cgit v1.2.1 From d7c96cc60ca5836356a0c4f0bb9a9976a4a232ab Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 24 Apr 2015 15:09:30 +0200 Subject: [ticket/security-180] Use language variable for redirect error in 3.1+ SECURITY-180 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index e00231c360..cc5d185f4e 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2309,7 +2309,7 @@ function redirect($url, $return = false, $disable_cd_check = false) // Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work) if (!$disable_cd_check && $url_parts['host'] !== $user->host) { - trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR); + trigger_error('INSECURE_REDIRECT', E_USER_ERROR); } } else if ($url[0] == '/') -- cgit v1.2.1