Unverified Commit ef9d1403 authored by IKEDA Soji's avatar IKEDA Soji Committed by GitHub
Browse files

Merge pull request #411 from ikedas/issue-268 by ikedas

Issue #268: XSS and open redirect on WWSympa
parents 595ef7f4 03314a9b
......@@ -3160,9 +3160,9 @@ sub do_login {
my $user;
my $next_action;
 
if ($in{'referer'}) {
$param->{'redirect_to'} =
Sympa::Tools::Text::unescape_chars($in{'referer'});
my $url_redirect;
if ($url_redirect = _clean_referer($in{'referer'})) {
$param->{'redirect_to'} = $url_redirect;
} elsif ($in{'previous_action'}
&& $in{'previous_action'} !~ /^(login|logout|loginrequest)$/) {
$next_action = $in{'previous_action'};
......@@ -3219,8 +3219,8 @@ sub do_login {
if ($url_redirect = is_ldap_user($in{'email'})) {
$param->{'redirect_to'} = $url_redirect
if $url_redirect ne 'none';
} elsif ($in{'failure_referer'}) {
$param->{'redirect_to'} = $in{'failure_referer'};
} elsif ($url_redirect = _clean_referer($in{'failure_referer'})) {
$param->{'redirect_to'} = $url_redirect;
} else {
$in{'init_email'} = $in{'email'};
$param->{'init_email'} = $in{'email'};
......@@ -3276,12 +3276,14 @@ sub do_login {
} else {
$param->{'login_error'} = 'wrong_password';
}
my $url_redirect;
if ($in{'previous_action'}) {
delete $in{'passwd'};
$in{'list'} = $in{'previous_list'};
return $in{'previous_action'};
} elsif ($in{'failure_referer'}) {
$param->{'redirect_to'} = $in{'failure_referer'};
} elsif ($url_redirect = _clean_referer($in{'failure_referer'})) {
$param->{'redirect_to'} = $url_redirect;
} else {
return 'renewpasswd';
}
......@@ -3410,6 +3412,30 @@ sub do_login {
return 1;
}
 
sub _clean_referer {
my $referer = shift;
return undef
unless $referer and $referer =~ m{\Ahttps?://}i;
# Allow referer within scope of cookie domain.
my $host = lc(URI->new($referer)->host);
my $mydom = lc($param->{'cookie_domain'} || 'localhost');
if ($mydom eq 'localhost') {
my $myhost = Sympa::WWW::Tools::get_http_host() || '';
$myhost =~ s/:\d+\z//;
return undef
unless $host eq $myhost;
} else {
$mydom =~ s/\A(?![.])/./;
return undef
unless substr($host, -length $mydom) eq $mydom
or ".$host" eq $mydom;
}
return $referer;
}
## Login WWSympa
## The sso_login action is made of 4 subactions that make a complete workflow.
## Note that this comlexe workflow is only used if the SSO server does not
......@@ -11631,7 +11657,9 @@ sub do_d_read {
# File or directory?
 
if ($shared_doc->{type} eq 'url') {
$param->{'redirect_to'} = $shared_doc->{url};
$param->{'redirect_to'} = $shared_doc->{url}
if $shared_doc->{url}
and $shared_doc->{url} =~ m{\Ahttps?://}i;
return 1;
} elsif ($shared_doc->{type} eq 'file') {
$param->{'content_type'} = $shared_doc->{mime_type};
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment