Home Explore Help
Sign In
githab
/
cakephp
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Fix insecure login redirection

Checking a leading '/' doesn't protect users from phishing because
protocol-relative URIs start with '//'.

Refs: #9410
chinpei215 9 years ago
parent
7c593cbf4d
commit
3f8274d3ee
2 changed files with 6 additions and 1 deletions
Split View Show Diff Stats
  1. 1 1
      src/Controller/Component/AuthComponent.php
  2. 5 0
      tests/TestCase/Controller/Component/AuthComponentTest.php

+ 1 - 1
src/Controller/Component/AuthComponent.php
View File 

@@ -766,7 +766,7 @@ class AuthComponent extends Component
 
     public function redirectUrl($url = null)
 
     {
 
         $redirectUrl = $this->request->query(static::QUERY_STRING_REDIRECT);
 
-        if ($redirectUrl && (substr($redirectUrl, 0, 1) !== '/')) {
 
+        if ($redirectUrl && (substr($redirectUrl, 0, 1) !== '/' || substr($redirectUrl, 0, 2) === '//')) {
 
             $redirectUrl = null;
 
         }

+ 5 - 0
tests/TestCase/Controller/Component/AuthComponentTest.php
View File 

@@ -1408,6 +1408,11 @@ class AuthComponentTest extends TestCase
 
 
         $result = $this->Auth->redirectUrl();
 
         $this->assertEquals('/users/home', $result);
 
+
 
+        $this->Auth->request->query = ['redirect' => '//some.domain.example/users/login'];
 
+
 
+        $result = $this->Auth->redirectUrl();
 
+        $this->assertEquals('/users/home', $result);
 
     }
 
 
     /**