LEMONLDAP::NG : Enforce XSS protection by deleting bad urls

2008-12-03 16:41:30 +00:00 · 2008-12-03 16:41:30 +00:00 · 35df5dddb8
commit 35df5dddb8
parent e4603c4276
3 changed files with 13 additions and 3 deletions
--- a/modules/lemonldap-ng-portal/example/index_simple.pl
+++ b/modules/lemonldap-ng-portal/example/index_simple.pl
@ -24,7 +24,7 @@ else {
    print 'Error: ' . $portal->error . '<br />';
    print '<form method="post" action="' . $ENV{SCRIPTNAME} . '">';
    print '<input type="hidden" name="url" value="'
-      . $portal->param('url') . '" />';
+      . $portal->get_url . '" />';
    print 'Login : <input name="user" /><br />';
    print
 'Password : <input name="password" type="password" autocomplete="off"><br>';
--- a/modules/lemonldap-ng-portal/example/index_skin.pl
+++ b/modules/lemonldap-ng-portal/example/index_skin.pl
@ -77,7 +77,7 @@ else {

    $template->param( AUTH_ERROR      => $portal->error );
    $template->param( AUTH_ERROR_TYPE => $portal->error_type );
-    $template->param( AUTH_URL        => $portal->param('url') );
+    $template->param( AUTH_URL        => $portal->get_url );
    $template->param( DISPLAY_FORM    => 1 );

    print $portal->header('text/html; charset=utf8');
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
@ -345,6 +345,13 @@ sub notification {
    return $self->{_notification};
 }

+##@method string get_url()
+# check url against XSS attacks
+sub get_url {
+    my ($self) = @_;
+    return if ($self->param('url') =~ /(?:<|\%(?:25|3C))/);
+    return $self->param('url');
+}
 ###############################################################
 # MAIN subroutine: call all steps until one returns something #
 #                  different than PE_OK                       #
@ -388,7 +395,10 @@ sub controlUrlOrigin {
        $self->{urldc} = decode_base64( $self->param('url') );

        # REJECT '<' in URL or encoded '%' and non protected hosts
-        return PE_BADURL if($self->{urldc} =~ /(?:<|\%(?:25|3C))/ or $self->{urldc} !~ m#https?://$self->{reVHosts}#);
+        if($self->{urldc} =~ /(?:<|\%(?:25|3C))/ or $self->{urldc} !~ m#https?://$self->{reVHosts}#) {
+            delete $self->{urldc};
+            return PE_BADURL;		
+	}
    }
    elsif($self->{mustRedirect}) {
        $self->{urldc} = $self->{portal};