Changeset 1095

Show
Ignore:
Timestamp:
11/18/07 23:16:48 (9 months ago)
Author:
Rickard
Message:

Fixed XSS vulnerability and potential HTTP response splitting vulnerability in redirect() method. Thanks Meik Sievertsen and kellanved!

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • trunk/upload/include/functions.php

    r956 r1095  
    850850        global $db, $pun_config, $lang_common, $pun_user; 
    851851 
    852         if ($destination_url == '') 
    853                 $destination_url = 'index.php'; 
     852        // Prefix with o_base_url (unless it's there already) 
     853        if (strpos($destination_url, $pun_config['o_base_url']) !== 0) 
     854                $destination_url = $pun_config['o_base_url'].'/'.$destination_url; 
     855 
     856        // Do a little spring cleaning 
     857        $destination_url = str_replace(array("\r", "\n", '%0a', '%0d', ';'), '', $destination_url); 
    854858 
    855859        // If the delay is 0 seconds, we might as well skip the redirect all together