1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-22 04:23:01 +00:00

Fix more intelligent returnto redirect

This commit is contained in:
Starbeamrainbowlabs 2021-09-30 21:06:07 +01:00
parent fa407ce99d
commit 7cf545a3ca
Signed by: sbrl
GPG key ID: 1BE5172E637709C2
2 changed files with 11 additions and 11 deletions

View file

@ -6,14 +6,12 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
### Changed ### Changed
- Display returnto URL above the login form if present to further mitigate CSRF issues - Display returnto URL above the login form if present to further mitigate CSRF issues
- Improve `returnto` sanitisation to be more intelligent
### Fixed ### Fixed
- [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome) - [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome)
- [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome) - [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome)
- [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to [this answer](https://stackoverflow.com/a/68505306/1460422) even Inkscape doesn't strip all Javascript when asked to) - [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to [this answer](https://stackoverflow.com/a/68505306/1460422) even Inkscape doesn't strip all Javascript when asked to)
- [security] Fixed XSS when the `action` GET param doesn't match a known action - [security] Fixed XSS when the `action` GET param doesn't match a known action
- [security] Further avoid session fixation attacks by regenerating session ids after login (session cookies are already marked as `HttpOnly`)
## v0.23 ## v0.23

View file

@ -159,18 +159,20 @@ register_module([
$_SESSION["$settings->sessionprefix-pass"] = $new_password_hash ?? hash_password($pass); $_SESSION["$settings->sessionprefix-pass"] = $new_password_hash ?? hash_password($pass);
$_SESSION["$settings->sessionprefix-expiretime"] = time() + 60*60*24*30; // 30 days from now $_SESSION["$settings->sessionprefix-expiretime"] = time() + 60*60*24*30; // 30 days from now
$returnto_redirect = $_GET["returnto"];
$returnto_parsed = parse_url($returnto_redirect);
// Ensure that this redirect takes to only somewhere else in this site
$returnto_redirect = "?{$returnto_parsed["query"]}";
// Redirect to wherever the user was going // Redirect to wherever the user was going
http_response_code(302); http_response_code(302);
header("x-login-success: yes"); header("x-login-success: yes");
if(isset($_GET["returnto"])) if(isset($_GET["returnto"])) {
header("location: " . $_GET["returnto"]); $returnto_redirect = $_GET["returnto"];
if(strpos($returnto_redirect, "?") === false) {
http_response_code(307);
header("location: ?action=view");
exit(page_renderer::render_main("Login error - $settings->sitename", "<p>Your credentials were correct, but the 'returnto' URL specified (in the <code>returnto</code> GET parameter) did not contain a question mark. To protect you from being redirected to another site, $settings->sitename only allows redirects that do not leave $settings->sitename.</p>"));
}
// Ensure that this redirect takes to only somewhere else in this site
$returnto_redirect = substr($returnto_redirect, strpos($returnto_redirect, "?"));
header("location: $returnto_redirect");
}
else else
header("location: index.php"); header("location: index.php");
exit(); exit();