diff options
| author | Bernhard Posselt <nukeawhale@gmail.com> | 2013-04-23 12:21:39 -0700 |
|---|---|---|
| committer | Bernhard Posselt <nukeawhale@gmail.com> | 2013-04-23 12:21:39 -0700 |
| commit | 9dde43db57f5fffc68ef096b1a041f8b5d427d96 (patch) | |
| tree | d3674c01323ef9330dd9f9b2b47fc983a9efd719 | |
| parent | 99cb37a6d121d2f9907c54ad026b7423e3d5cdd2 (diff) | |
| parent | 6e78c4fcc04820717afe5cdb55112d4a22d6f2dc (diff) | |
| download | nextcloud-server-9dde43db57f5fffc68ef096b1a041f8b5d427d96.tar.gz nextcloud-server-9dde43db57f5fffc68ef096b1a041f8b5d427d96.zip | |
Merge pull request #3080 from owncloud/validate_redirect_mast
Disallow URLs containing a @
| -rw-r--r-- | lib/base.php | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/base.php b/lib/base.php index 7b0967df9f9..a32ed460907 100644 --- a/lib/base.php +++ b/lib/base.php @@ -631,8 +631,13 @@ class OC { // Handle redirect URL for logged in users if (isset($_REQUEST['redirect_url']) && OC_User::isLoggedIn()) { $location = OC_Helper::makeURLAbsolute(urldecode($_REQUEST['redirect_url'])); - header('Location: ' . $location); - return; + + // Deny the redirect if the URL contains a @ + // This prevents unvalidated redirects like ?redirect_url=:user@domain.com + if (strpos($location, '@') === FALSE) { + header('Location: ' . $location); + return; + } } // Handle WebDAV if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') { |