0006044: 'Return' _GET is not checked - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0006044	mantisbt	security	public	2005-07-29 18:51	2006-10-09 11:55

Reporter	grangeway	Assigned To	thraxisp
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Fixed in Version	1.0.0

Summary	0006044: 'Return' _GET is not checked
Description	Other then not necessarily being a good way to direct users: Navigating to: http://bugs.mantisbt.org/login_cookie_test.php?return=http://www.google.com/ directs the user to google. Navigating to: http://bugs.mantisbt.org/login_cookie_test.php?return=Foobar%3F%0D%0ALocation%3A+www.google.com GET /login_cookie_test.php?return=Foobar%3F%0D%0ALocation%3A+http: //www.google.com/ HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, / Accept-Language: en-gb Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215) Host: bugs.mantisbt.org Connection: Keep-Alive Cookie: MANTIS_VIEW_ALL_COOKIE=1425 HTTP/1.1 302 Found Date: Fri, 29 Jul 2005 22:47:39 GMT Server: Apache/2.0.52 (Unix) X-Powered-By: PHP/4.3.10 Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Expires: Fri, 29 Jul 2005 22:47:40 GMT Location: Foobar? Location: http://www.google.com/ Content-Length: 0 Connection: close Content-Type: text/html; charset=windows-1252 Let's fix this :)
Tags	No tags attached.

grangeway 2005-07-29 18:53 reporter ~0011023	Reminder sent to: thraxisp, vboctor thoughts on ways to fix/check this one? :)

grangeway 2005-07-29 19:02 reporter ~0011024	It's also an RFC violation to not include the full host iirc.

thraxisp 2005-08-04 20:16 reporter ~0011077	The same structure also exists in login_page.php, manage_config_revert.php, manage_custom_field_delete.php, manage_custom_field_edit_page.php, and manage_custom_field_update.php. I'd suggest that we parse the value and, if there are any slashes (/), strip off anything before the last /. We can then append it to the mantis base URL.

ryandesign 2005-08-07 16:36 reporter ~0011107	We could develop a function to sanitize the return value... $f_return = sanitize_return( gpc_get_string( 'return', config_get( 'default_home_page' ) ) ); It could check if the return value is under the Mantis web URL and discard it if not. The RFC 2616 violation when redirecting is bug 0003911. The library I've attached there can help us with the above too -- my complete_url() function can take the supposedly relative URL in the "return" parameter and convert it to a full URL, and then a comparison can be done to see if the Mantis base URL can be found starting at character 0 of that complete URL.

ryandesign 2005-08-07 16:42 reporter ~0011108	Although your second example, where you put a second Location header in the GET parameter, is very cute. I suspect my library does nothing to help with that, nor, after a little thought, should it, really. The path should be sanitized before passing it to my function.

thraxisp 2006-02-02 22:57 reporter ~0012072	Fixed in CVS. core/string_api.php -> 1.75.4.2.2.1.2.1 core/print_api.php -> 1.143.6.1.4.1 core/html_api.php -> 1.184.4.1.2.1.2.1