From 5ce50d0a2e15ae66765a68ba2785a87ecda57f6a Mon Sep 17 00:00:00 2001 From: zotlabs Date: Wed, 18 Jul 2018 17:05:38 -0700 Subject: mangled urls on redirects --- Zotlabs/Module/Magic.php | 7 ++++--- Zotlabs/Module/Manage.php | 2 +- Zotlabs/Module/Nojs.php | 4 ++-- Zotlabs/Module/Rmagic.php | 10 +++++----- 4 files changed, 12 insertions(+), 11 deletions(-) (limited to 'Zotlabs/Module') diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php index 25c318f30..e034f1cdf 100644 --- a/Zotlabs/Module/Magic.php +++ b/Zotlabs/Module/Magic.php @@ -14,15 +14,16 @@ class Magic extends \Zotlabs\Web\Controller { logger('mod_magic: args: ' . print_r($_REQUEST,true),LOGGER_DATA); $addr = ((x($_REQUEST,'addr')) ? $_REQUEST['addr'] : ''); + $bdest = ((x($_REQUEST,'bdest')) ? $_REQUEST['bdest'] : ''); $dest = ((x($_REQUEST,'dest')) ? $_REQUEST['dest'] : ''); $test = ((x($_REQUEST,'test')) ? intval($_REQUEST['test']) : 0); $rev = ((x($_REQUEST,'rev')) ? intval($_REQUEST['rev']) : 0); $owa = ((x($_REQUEST,'owa')) ? intval($_REQUEST['owa']) : 0); $delegate = ((x($_REQUEST,'delegate')) ? $_REQUEST['delegate'] : ''); - // Apache(?) appears to perform an htmlentities() operation on this variable - - $dest = html_entity_decode($dest); + + if($bdest) + $dest = hex2bin($bdest); $parsed = parse_url($dest); if(! $parsed) { diff --git a/Zotlabs/Module/Manage.php b/Zotlabs/Module/Manage.php index 9c5c32294..2c88a4df0 100644 --- a/Zotlabs/Module/Manage.php +++ b/Zotlabs/Module/Manage.php @@ -156,7 +156,7 @@ class Manage extends \Zotlabs\Web\Controller { if($delegates) { for($x = 0; $x < count($delegates); $x ++) { - $delegates[$x]['link'] = 'magic?f=&dest=' . urlencode($delegates[$x]['xchan_url']) + $delegates[$x]['link'] = 'magic?f=&bdest=' . bin2hex($delegates[$x]['xchan_url']) . '&delegate=' . urlencode($delegates[$x]['xchan_addr']); $delegates[$x]['channel_name'] = $delegates[$x]['xchan_name']; $delegates[$x]['delegate'] = 1; diff --git a/Zotlabs/Module/Nojs.php b/Zotlabs/Module/Nojs.php index 6fd6d8106..5f3d80ecd 100644 --- a/Zotlabs/Module/Nojs.php +++ b/Zotlabs/Module/Nojs.php @@ -7,8 +7,8 @@ class Nojs extends \Zotlabs\Web\Controller { function init() { $n = ((argc() > 1) ? intval(argv(1)) : 1); setcookie('jsdisabled', $n, 0, '/'); - $p = $_GET['redir']; - $hasq = strpos($p,'?'); + $p = hex2bin($_GET['redir']); + $hasq = strpbrk($p,'?&'); goaway(z_root() . (($p) ? '/' . $p : '') . (($hasq) ? '' : '?f=' ) . '&jsdisabled=' . $n); } diff --git a/Zotlabs/Module/Rmagic.php b/Zotlabs/Module/Rmagic.php index bfc03f6ec..33a6689ca 100644 --- a/Zotlabs/Module/Rmagic.php +++ b/Zotlabs/Module/Rmagic.php @@ -17,8 +17,8 @@ class Rmagic extends \Zotlabs\Web\Controller { if($r) { if($r[0]['hubloc_url'] === z_root()) goaway(z_root() . '/login'); - $dest = z_root() . '/' . str_replace(['rmagic','zid='],['','zid_='],\App::$query_string); - goaway($r[0]['hubloc_url'] . '/magic' . '?f=&owa=1&dest=' . $dest); + $dest = bin2hex(z_root() . '/' . str_replace(['rmagic','zid='],['','zid_='],\App::$query_string)); + goaway($r[0]['hubloc_url'] . '/magic' . '?f=&owa=1&bdest=' . $dest); } } } @@ -59,11 +59,11 @@ class Rmagic extends \Zotlabs\Web\Controller { if($url) { if($_SESSION['return_url']) - $dest = urlencode(z_root() . '/' . str_replace('zid=','zid_=',$_SESSION['return_url'])); + $dest = bin2hex(z_root() . '/' . str_replace('zid=','zid_=',$_SESSION['return_url'])); else - $dest = urlencode(z_root() . '/' . str_replace([ 'rmagic', 'zid=' ] ,[ '', 'zid_='],\App::$query_string)); + $dest = bin2hex(z_root() . '/' . str_replace([ 'rmagic', 'zid=' ] ,[ '', 'zid_='],\App::$query_string)); - goaway($url . '/magic' . '?f=&owa=1&dest=' . $dest); + goaway($url . '/magic' . '?f=&owa=1&bdest=' . $dest); } } } -- cgit v1.2.3