| Anonymous | Login | Signup for a new account | 2013-05-26 03:17 EDT |  |
| Main | My View | View Issues | Change Log | Roadmap | Wiki | ManTweet | Repositories |
| View Issue Details [ Jump to Notes ] [ Wiki ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0006044 | mantisbt | security | public | 2005-07-29 18:51 | 2006-10-09 11:55 | ||||
| Reporter | grangeway | ||||||||
| Assigned To | thraxisp | ||||||||
| Priority | normal | Severity | major | Reproducibility | always | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | |||||||||
| Target Version | Fixed in Version | 1.0.0 | |||||||
| Summary | 0006044: 'Return' _GET is not checked | ||||||||
| Description | Other then not necessarily being a good way to direct users: Navigating to: http://bugs.mantisbt.org/login_cookie_test.php?return=http://www.google.com/ [^] directs the user to google. Navigating to: http://bugs.mantisbt.org/login_cookie_test.php?return=Foobar%3F%0D%0ALocation%3A+www.google.com [^] GET /login_cookie_test.php?return=Foobar%3F%0D%0ALocation%3A+http: //www.google.com/ HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-gb Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215) Host: bugs.mantisbt.org Connection: Keep-Alive Cookie: MANTIS_VIEW_ALL_COOKIE=1425 HTTP/1.1 302 Found Date: Fri, 29 Jul 2005 22:47:39 GMT Server: Apache/2.0.52 (Unix) X-Powered-By: PHP/4.3.10 Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Expires: Fri, 29 Jul 2005 22:47:40 GMT Location: Foobar? Location: http://www.google.com/ [^] Content-Length: 0 Connection: close Content-Type: text/html; charset=windows-1252 Let's fix this :) | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files | |||||||||
 Relationships |
 Notes |
|
 (0011023)grangeway (developer) 2005-07-29 18:53 |
Reminder sent to: thraxisp, vboctor thoughts on ways to fix/check this one? :) |
|
(0011024) grangeway (developer) 2005-07-29 19:02 |
It's also an RFC violation to not include the full host iirc. |
 (0011077)thraxisp (manager) 2005-08-04 20:16 |
The same structure also exists in login_page.php, manage_config_revert.php, manage_custom_field_delete.php, manage_custom_field_edit_page.php, and manage_custom_field_update.php. I'd suggest that we parse the value and, if there are any slashes (/), strip off anything before the last /. We can then append it to the mantis base URL. |
 (0011107)ryandesign (reporter) 2005-08-07 16:36 |
We could develop a function to sanitize the return value... $f_return = sanitize_return( gpc_get_string( 'return', config_get( 'default_home_page' ) ) ); It could check if the return value is under the Mantis web URL and discard it if not. The RFC 2616 violation when redirecting is bug 0003911. The library I've attached there can help us with the above too -- my complete_url() function can take the supposedly relative URL in the "return" parameter and convert it to a full URL, and then a comparison can be done to see if the Mantis base URL can be found starting at character 0 of that complete URL. |
|
(0011108) ryandesign (reporter) 2005-08-07 16:42 |
Although your second example, where you put a second Location header in the GET parameter, is very cute. I suspect my library does nothing to help with that, nor, after a little thought, should it, really. The path should be sanitized before passing it to my function. |
|
(0012072) thraxisp (manager) 2006-02-02 22:57 |
Fixed in CVS. core/string_api.php -> 1.75.4.2.2.1.2.1 core/print_api.php -> 1.143.6.1.4.1 core/html_api.php -> 1.184.4.1.2.1.2.1 |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2005-07-29 18:51 | grangeway | New Issue | |
| 2005-07-29 18:53 | grangeway | Note Added: 0011023 | |
| 2005-07-29 19:02 | grangeway | Note Added: 0011024 | |
| 2005-08-04 20:16 | thraxisp | Note Added: 0011077 | |
| 2005-08-07 16:36 | ryandesign | Note Added: 0011107 | |
| 2005-08-07 16:42 | ryandesign | Note Added: 0011108 | |
| 2006-02-02 22:43 | thraxisp | Issue cloned: 0006665 | |
| 2006-02-02 22:43 | thraxisp | Relationship added | parent of 0006665 |
| 2006-02-02 22:57 | thraxisp | Status | new => resolved |
| 2006-02-02 22:57 | thraxisp | Fixed in Version | => 1.0.0rc6 |
| 2006-02-02 22:57 | thraxisp | Resolution | open => fixed |
| 2006-02-02 22:57 | thraxisp | Assigned To | => thraxisp |
| 2006-02-02 22:57 | thraxisp | Note Added: 0012072 | |
| 2006-02-04 05:44 | vboctor | Status | resolved => closed |
| 2006-10-09 11:55 | thraxisp | View Status | private => public |
|
Issue History |
| MantisBT 1.2.16dev master-1.2.x-8c2bd07 [^]
Copyright © 2000 - 2013 MantisBT Team
Time: 0.0880 seconds. memory usage: 2,814 KB |
|