HOR-3396 Authenticated Open Redirect

- Cleaning protocols in url redirect.
2017-08-08 10:42:08 -04:00
parent 33bb062fe7
commit b6ce2f94a9
1 changed files with 16 additions and 4 deletions
--- a/workflow/engine/methods/login/login.php
+++ b/workflow/engine/methods/login/login.php
@@ -33,10 +33,22 @@ if ($browserSupported==false){
 /*----------------------------------********---------------------------------*/
 $aFields = array();

-if (!isset($_GET['u'])) {
-    $aFields['URL'] = '';
-} else {
-    $aFields['URL'] = htmlspecialchars(addslashes(stripslashes(strip_tags(trim(urldecode($_GET['u']))))));
+//Validated redirect url
+$aFields['URL'] = '';
+if (!empty($_GET['u'])) {
+    //clean url with protocols
+    $flagUrl = true;
+    $protocols = ['https://', 'http://', 'ftp://', 'www.'];
+    foreach ($protocols as $protocol) {
+        if (strpos($_GET['u'], $protocol) !== false) {
+            $_GET['u'] = '';
+            $flagUrl = false;
+            break;
+        }
+    }
+    if ($flagUrl) {
+        $aFields['URL'] = htmlspecialchars(addslashes(stripslashes(strip_tags(trim(urldecode($_GET['u']))))));
+    }
 }

 if (!isset($_SESSION['G_MESSAGE'])) {