diff --git a/nag/app/controllers/CompleteTask.php b/nag/app/controllers/CompleteTask.php
index 93c7f5be158..41efb735013 100644
--- a/nag/app/controllers/CompleteTask.php
+++ b/nag/app/controllers/CompleteTask.php
@@ -18,8 +18,8 @@ public function processRequest(Horde_Controller_Request $request, Horde_Controll
$requestVars['format'] == 'json') {
$response->setContentType('application/json');
$response->setBody(json_encode($result));
- } elseif ($requestVars['url']) {
- $response->setRedirectUrl($requestVars['url']);
+ } elseif ($url = Horde::verifySignedUrl($requestVars['url'])) {
+ $response->setRedirectUrl($url);
}
}
}
diff --git a/nag/app/controllers/SaveTask.php b/nag/app/controllers/SaveTask.php
index dfb6d0032bd..bd285e968d0 100644
--- a/nag/app/controllers/SaveTask.php
+++ b/nag/app/controllers/SaveTask.php
@@ -110,11 +110,14 @@ public function processRequest(Horde_Controller_Request $request, Horde_Controll
'tasklist_id' => $info['tasklist_id'],
'parent' => $info['parent']));
} else {
- $url = Horde_Util::getFormData('url', (string)Horde::url('list.php', true));
- $url = Horde::url($url, true);
+ if ($url = Horde::verifySignedUrl(Horde_Util::getFormData('url'))) {
+ $url = Horde::url($url, true);
+ } else {
+ $url = Horde::url('list.php', true);
+ }
}
- $response->setRedirectUrl($url);
+ $response->setRedirectUrl((string)$url);
}
/**
diff --git a/nag/docs/CHANGES b/nag/docs/CHANGES
index a2cab224078..1bfa483efb8 100644
--- a/nag/docs/CHANGES
+++ b/nag/docs/CHANGES
@@ -2,6 +2,7 @@
v4.2.15-git
-----------
+[jan] SECURITY: Fix open redirects.
[mjr] Fix handling of delayed start dates (Bug #14634).
diff --git a/nag/package.xml b/nag/package.xml
index ffd5a852227..b60cc12973b 100644
--- a/nag/package.xml
+++ b/nag/package.xml
@@ -33,6 +33,7 @@
GPL-2.0
+* [jan] SECURITY: Fix open redirects.
* [mjr] Fix handling of delayed start dates (Bug #14634).
@@ -575,7 +576,7 @@
Horde_Core
pear.horde.org
- 2.6.1
+ 2.30.0
3.0.0alpha1
3.0.0alpha1
@@ -1793,6 +1794,7 @@
2017-03-20
GPL-2.0
+* [jan] SECURITY: Fix open redirects.
* [mjr] Fix handling of delayed start dates (Bug #14634).
diff --git a/trean/app/controllers/DeleteBookmark.php b/trean/app/controllers/DeleteBookmark.php
index 5f56aed8d05..0b9d5ebf303 100644
--- a/trean/app/controllers/DeleteBookmark.php
+++ b/trean/app/controllers/DeleteBookmark.php
@@ -21,7 +21,10 @@ public function processRequest(Horde_Controller_Request $request, Horde_Controll
$response->setContentType('application/json');
$response->setBody(json_encode($result));
} else {
- $response->setRedirectUrl(Horde_Util::getFormData('url', Horde::url('browse.php', true)));
+ if (!($url = Horde::verifySignedUrl(Horde_Util::getFormData('url')))) {
+ $url = Horde::url('browse.php', true);
+ }
+ $response->setRedirectUrl($url);
}
}
}
diff --git a/trean/app/controllers/SaveBookmark.php b/trean/app/controllers/SaveBookmark.php
index 15414ed1d2d..a0e17d0099f 100644
--- a/trean/app/controllers/SaveBookmark.php
+++ b/trean/app/controllers/SaveBookmark.php
@@ -30,7 +30,10 @@ public function processRequest(Horde_Controller_Request $request, Horde_Controll
$response->setContentType('application/json');
$response->setBody(json_encode($result));
} else {
- $response->setRedirectUrl(Horde_Util::getFormData('url', Horde::url('browse.php', true)));
+ if (!($url = Horde::verifySignedUrl(Horde_Util::getFormData('url')))) {
+ $url = Horde::url('browse.php', true);
+ }
+ $response->setRedirectUrl($url);
}
}
}
diff --git a/trean/docs/CHANGES b/trean/docs/CHANGES
index 96c640e5b2f..79f4359f1c0 100644
--- a/trean/docs/CHANGES
+++ b/trean/docs/CHANGES
@@ -2,6 +2,7 @@
v1.1.8-git
----------
+[jan] SECURITY: Fix open redirects.
------
diff --git a/trean/package.xml b/trean/package.xml
index 50e0c6e2f4c..8e6f66de24f 100644
--- a/trean/package.xml
+++ b/trean/package.xml
@@ -33,7 +33,7 @@
BSD-2-Clause
-*
+* [jan] SECURITY: Fix open redirects.
@@ -326,7 +326,7 @@
Horde_Core
pear.horde.org
- 2.0.0
+ 2.30.0
3.0.0alpha1
3.0.0alpha1
@@ -813,7 +813,7 @@
2016-12-16
BSD-2-Clause
-*
+* [jan] SECURITY: Fix open redirects.