Merge branch 'i22702-csrf'

mantisbt · May 20, 2017 · 0562a51 · 0562a51
2 parents 2d541e9 + 241ff4e
commit 0562a51
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 2 deletions.
diff --git a/core/filter_api.php b/core/filter_api.php
@@ -2451,8 +2451,11 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
 							filter_print_view_type_toggle( $t_url, $t_filter['_view_type'] );
 
 							if( access_has_project_level( config_get( 'create_permalink_threshold' ) ) ) {
+								# Add CSRF protection, see #22702
+								$t_permalink_url = urlencode( filter_get_url( $t_filter ) )
+									. form_security_param( 'permalink' );
 								echo '<li>';
-								echo '<a href="permalink_page.php?url=' . urlencode( filter_get_url( $t_filter ) ) . '">';
+								echo '<a href="permalink_page.php?url=' . $t_permalink_url . '">';
 								echo '<i class="ace-icon fa fa-link"></i>&#160;&#160;' . lang_get( 'create_filter_link' );
 								echo '</a>';
 								echo '</li>';

diff --git a/core/string_api.php b/core/string_api.php
@@ -275,7 +275,9 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
 	}
 
 	# Start extracting regex matches
-	$t_script = $t_matches['script'];
+	# Encode backslashes to prevent unwanted escaping of a leading '/' allowing
+	# redirection to external sites
+	$t_script = strtr( $t_matches['script'], array( '\\' => '%5C' ) );
 	$t_script_path = $t_matches['path'];
 
 	# Clean/encode query params

diff --git a/permalink_page.php b/permalink_page.php
@@ -36,13 +36,16 @@
 require_once( 'core.php' );
 require_api( 'access_api.php' );
 require_api( 'config_api.php' );
+require_api( 'form_api.php' );
 require_api( 'gpc_api.php' );
 require_api( 'html_api.php' );
 require_api( 'lang_api.php' );
 require_api( 'print_api.php' );
 require_api( 'string_api.php' );
 require_api( 'utility_api.php' );
 
+form_security_validate( 'permalink' );
+
 layout_page_header();
 
 layout_page_begin();
@@ -75,4 +78,5 @@
 ?>
 </div>
 <?php
+form_security_purge( 'permalink' );
 layout_page_end();
diff --git a/tests/Mantis/StringTest.php b/tests/Mantis/StringTest.php
@@ -82,6 +82,7 @@ public function provider() {
 			array( 'plugin.php?page=Source/list&id=1#abc', 'plugin.php?page=Source%2Flist&id=1#abc'),
 			array( 'login_page.php?return=http://google.com/', 'index.php'),
 			array( 'javascript:alert(1);', 'index.php'),
+			array( '\/csrf-22702', '%5C/csrf-22702' ),
 		);
 
 		# @FIXME