LEMONLDAP::NG : Enforce XSS protection by deleting bad urls
This commit is contained in:
parent
e4603c4276
commit
35df5dddb8
|
@ -24,7 +24,7 @@ else {
|
|||
print 'Error: ' . $portal->error . '<br />';
|
||||
print '<form method="post" action="' . $ENV{SCRIPTNAME} . '">';
|
||||
print '<input type="hidden" name="url" value="'
|
||||
. $portal->param('url') . '" />';
|
||||
. $portal->get_url . '" />';
|
||||
print 'Login : <input name="user" /><br />';
|
||||
print
|
||||
'Password : <input name="password" type="password" autocomplete="off"><br>';
|
||||
|
|
|
@ -77,7 +77,7 @@ else {
|
|||
|
||||
$template->param( AUTH_ERROR => $portal->error );
|
||||
$template->param( AUTH_ERROR_TYPE => $portal->error_type );
|
||||
$template->param( AUTH_URL => $portal->param('url') );
|
||||
$template->param( AUTH_URL => $portal->get_url );
|
||||
$template->param( DISPLAY_FORM => 1 );
|
||||
|
||||
print $portal->header('text/html; charset=utf8');
|
||||
|
|
|
@ -345,6 +345,13 @@ sub notification {
|
|||
return $self->{_notification};
|
||||
}
|
||||
|
||||
##@method string get_url()
|
||||
# check url against XSS attacks
|
||||
sub get_url {
|
||||
my ($self) = @_;
|
||||
return if ($self->param('url') =~ /(?:<|\%(?:25|3C))/);
|
||||
return $self->param('url');
|
||||
}
|
||||
###############################################################
|
||||
# MAIN subroutine: call all steps until one returns something #
|
||||
# different than PE_OK #
|
||||
|
@ -388,7 +395,10 @@ sub controlUrlOrigin {
|
|||
$self->{urldc} = decode_base64( $self->param('url') );
|
||||
|
||||
# REJECT '<' in URL or encoded '%' and non protected hosts
|
||||
return PE_BADURL if($self->{urldc} =~ /(?:<|\%(?:25|3C))/ or $self->{urldc} !~ m#https?://$self->{reVHosts}#);
|
||||
if($self->{urldc} =~ /(?:<|\%(?:25|3C))/ or $self->{urldc} !~ m#https?://$self->{reVHosts}#) {
|
||||
delete $self->{urldc};
|
||||
return PE_BADURL;
|
||||
}
|
||||
}
|
||||
elsif($self->{mustRedirect}) {
|
||||
$self->{urldc} = $self->{portal};
|
||||
|
|
Loading…
Reference in New Issue
Block a user