diff options
| author | Harald Eilertsen <haraldei@anduin.net> | 2022-03-20 14:37:19 +0100 |
|---|---|---|
| committer | Harald Eilertsen <haraldei@anduin.net> | 2022-03-20 15:34:24 +0100 |
| commit | b3ca31bce7ed0dd5777458005718ba96985cbdc2 (patch) | |
| tree | e95a34664c278c76f8c4f68fd2749c91a6d046d6 /Zotlabs/Module/Settings/Connections.php | |
| parent | b02f6a1dae3e3fae4af4b24e65256cdf653b2515 (diff) | |
| download | volse-hubzilla-b3ca31bce7ed0dd5777458005718ba96985cbdc2.tar.gz volse-hubzilla-b3ca31bce7ed0dd5777458005718ba96985cbdc2.tar.bz2 volse-hubzilla-b3ca31bce7ed0dd5777458005718ba96985cbdc2.zip | |
CVE-2022-27256: Open redirect via rpath query param.
Don't follow urls to external sites when submitting forms from the
settings modules. This mitigates an Open Redirect vulnerability where an
attacker could trick a user to go to an attacker controlled destination.
Fixes part of https://framagit.org/hubzilla/core/-/issues/1666
Diffstat (limited to 'Zotlabs/Module/Settings/Connections.php')
| -rw-r--r-- | Zotlabs/Module/Settings/Connections.php | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/Zotlabs/Module/Settings/Connections.php b/Zotlabs/Module/Settings/Connections.php index 4193ba11d..52a95a3d1 100644 --- a/Zotlabs/Module/Settings/Connections.php +++ b/Zotlabs/Module/Settings/Connections.php @@ -11,14 +11,14 @@ class Connections { $module = substr(strrchr(strtolower(static::class), '\\'), 1); check_form_security_token_redirectOnErr('/settings/' . $module, 'settings_' . $module); - + $features = get_module_features($module); process_module_features_post(local_channel(), $features, $_POST); - + Libsync::build_sync_packet(); - if($_POST['rpath']) + if(isset($_POST['rpath']) && is_local_url($_POST['rpath'])) goaway($_POST['rpath']); return; |