LEMONLDAP::NG : XSS prevention
This commit is contained in:
parent
66c60cc416
commit
8b4f38e58c
|
@ -30,7 +30,7 @@ sub autoRedirect {
|
|||
my $cookieName = $self->{cookieName};
|
||||
|
||||
if ( $self->{urldc}
|
||||
and $self->{urldc} !~ m#https?://[^/]*$tmp/#oi
|
||||
and $self->{urldc} !~ m#^https?://[^/]*$tmp/#oi
|
||||
and $self->{id}
|
||||
and $self->{urldc} !~ m#[\?&]?$cookieName=\w+&?#oi )
|
||||
{
|
||||
|
|
|
@ -396,7 +396,7 @@ sub controlUrlOrigin {
|
|||
$self->{urldc} = decode_base64( $self->param('url') );
|
||||
|
||||
# REJECT <, " and ' in URL or encoded '%' and non protected hosts
|
||||
if ( $self->{urldc} =~ /(?:<|'|"|\%(?:25|3C))/
|
||||
if ( $self->{urldc} =~ /(?:<|'|"|`|\%(?:25|3C|22|27|2C))/
|
||||
or $self->{urldc} !~ m#^https?://$self->{reVHosts}# )
|
||||
{
|
||||
delete $self->{urldc};
|
||||
|
|
Loading…
Reference in New Issue
Block a user