Skip to content

Commit

Permalink
[jan] SECURITY: Fix XSS vulnerability with pathinfo component in toSt…
Browse files Browse the repository at this point in the history 
…ring().
  • Loading branch information
@yunosh
yunosh committed Jul 4, 2017
1 parent cc61cbd commit ac55a61
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 4 deletions.
8 changes: 6 additions & 2 deletions framework/Url/lib/Horde/Url.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -267,8 +267,12 @@ public function toString($raw = false, $full = true)
: parse_url($this->url, PHP_URL_PATH);

if (strlen($this->pathInfo)) {
$url = rtrim($url, '/');
$url .= '/' . $this->pathInfo;
$url = rtrim($url, '/') . '/';
if ($raw) {
$url .= $this->pathInfo;
} else {
$url .= implode('/', array_map('rawurlencode', explode('/', $this->pathInfo)));
}
}

if ($params = $this->_getParameters()) {
Expand Down
4 changes: 2 additions & 2 deletions framework/Url/package.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
</stability>
<license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
<notes>
*
* [jan] SECURITY: Fix XSS vulnerability with pathinfo component in toString().
</notes>
<contents>
<dir baseinstalldir="/" name="/">
Expand Down Expand Up @@ -417,7 +417,7 @@
<date>2016-02-02</date>
<license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
<notes>
*
* [jan] SECURITY: Fix XSS vulnerability with pathinfo component in toString().
</notes>
</release>
</changelog>
Expand Down

0 comments on commit ac55a61

Please sign in to comment.