View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006044 | mantisbt | security | public | 2005-07-29 18:51 | 2006-10-09 11:55 |
Reporter | grangeway | Assigned To | thraxisp | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Fixed in Version | 1.0.0 | ||||
Summary | 0006044: 'Return' _GET is not checked | ||||
Description | Other then not necessarily being a good way to direct users: Navigating to: directs the user to google. Navigating to: GET /login_cookie_test.php?return=Foobar%3F%0D%0ALocation%3A+http: //www.google.com/ HTTP/1.1 HTTP/1.1 302 Found Let's fix this :) | ||||
Tags | No tags attached. | ||||
Reminder sent to: thraxisp, vboctor thoughts on ways to fix/check this one? :) |
|
It's also an RFC violation to not include the full host iirc. |
|
The same structure also exists in login_page.php, manage_config_revert.php, manage_custom_field_delete.php, manage_custom_field_edit_page.php, and manage_custom_field_update.php. I'd suggest that we parse the value and, if there are any slashes (/), strip off anything before the last /. We can then append it to the mantis base URL. |
|
We could develop a function to sanitize the return value... $f_return = sanitize_return( gpc_get_string( 'return', config_get( 'default_home_page' ) ) ); It could check if the return value is under the Mantis web URL and discard it if not. The RFC 2616 violation when redirecting is bug 0003911. The library I've attached there can help us with the above too -- my complete_url() function can take the supposedly relative URL in the "return" parameter and convert it to a full URL, and then a comparison can be done to see if the Mantis base URL can be found starting at character 0 of that complete URL. |
|
Although your second example, where you put a second Location header in the GET parameter, is very cute. I suspect my library does nothing to help with that, nor, after a little thought, should it, really. The path should be sanitized before passing it to my function. |
|
Fixed in CVS. core/string_api.php -> 1.75.4.2.2.1.2.1 |
|