Skip to content

Commit 1a33506

Browse files
bantubantu
committedApr 28, 2015
Merge remote-tracking branch 'phpbb-security/ticket/security-180' into prep-release-3.0.14
* phpbb-security/ticket/security-180: [ticket/security-180] Add tests for redirecting to main URL [ticket/security-180] Always fail when redirecting to an insecure URL [ticket/security-180] Make sure that redirect goes to full URL plus slash [ticket/security-180] Check if redirect URL contains board URL
·
release-3.3.15-RC1release-3.0.14-RC1
2 parents d833f29 + 18fc621 commit 1a33506

File tree

2 files changed

+14
-3
lines changed

2 files changed

+14
-3
lines changed
 

‎phpBB/includes/functions.php

+7-1
Original file line numberDiff line numberDiff line change
@@ -2492,7 +2492,7 @@ function redirect($url, $return = false, $disable_cd_check = false)
24922492
// Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work)
24932493
if (!$disable_cd_check && $url_parts['host'] !== $user->host)
24942494
{
2495-
$url = generate_board_url();
2495+
trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR);
24962496
}
24972497
}
24982498
else if ($url[0] == '/')
@@ -2579,6 +2579,12 @@ function redirect($url, $return = false, $disable_cd_check = false)
25792579
}
25802580
}
25812581

2582+
// Make sure we don't redirect to external URLs
2583+
if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0)
2584+
{
2585+
trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR);
2586+
}
2587+
25822588
// Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2
25832589
if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false)
25842590
{

‎tests/security/redirect_test.php

+7-2
Original file line numberDiff line numberDiff line change
@@ -18,12 +18,17 @@ static public function provider()
1818
{
1919
// array(Input -> redirect(), expected triggered error (else false), expected returned result url (else false))
2020
return array(
21-
array('data://x', false, 'http://localhost/phpBB'),
21+
array('data://x', 'Tried to redirect to potentially insecure url.', false),
2222
array('bad://localhost/phpBB/index.php', 'Tried to redirect to potentially insecure url.', false),
23-
array('http://www.otherdomain.com/somescript.php', false, 'http://localhost/phpBB'),
23+
array('http://www.otherdomain.com/somescript.php', 'Tried to redirect to potentially insecure url.', false),
2424
array("http://localhost/phpBB/memberlist.php\n\rConnection: close", 'Tried to redirect to potentially insecure url.', false),
2525
array('javascript:test', false, 'http://localhost/phpBB/../javascript:test'),
2626
array('http://localhost/phpBB/index.php;url=', 'Tried to redirect to potentially insecure url.', false),
27+
array('https://foobar.com\@http://localhost/phpBB', 'Tried to redirect to potentially insecure url.', false),
28+
array('https://foobar.com\@localhost/troll/http://localhost/', 'Tried to redirect to potentially insecure url.', false),
29+
array('http://localhost.foobar.com\@localhost/troll/http://localhost/', 'Tried to redirect to potentially insecure url.', false),
30+
array('http://localhost/phpBB', false, 'http://localhost/phpBB'),
31+
array('http://localhost/phpBB/', false, 'http://localhost/phpBB/'),
2732
);
2833
}
2934

0 commit comments

Comments
 (0)
Please sign in to comment.