Fix CSRF vulnerability in permalink_page.php

John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org reported a CSRF vulnerability in permalink_page.php, allowing an attacker to inject arbitrary links (CVE-2017-7620). Backporting from master branch: - Add form security token to prevent such injection (code changed from original commit) 0d11077d40c5dfdb76efdad9ba2b455af5be25a0 - Encode '\' in string_sanitize_url() 7b23377c573817c5fe8b522e8c33de8b1caff179 Fixes #22702, #22816
mantisbt · May 20, 2017 · c4f50e5 · c4f50e5
1 parent b933abc
commit c4f50e5
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 2 deletions.
diff --git a/core/filter_api.php b/core/filter_api.php
@@ -3615,7 +3615,9 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
 		if( access_has_project_level( config_get( 'create_permalink_threshold' ) ) ) {
 			?>
 			<form method="get" action="permalink_page.php">
-				<?php # CSRF protection not required here - form does not result in modifications ?>
+                <?php # Add CSRF protection, see #22702
+                echo form_security_field( 'permalink' );
+                ?>
 				<input type="hidden" name="url" value="<?php echo urlencode( filter_get_url( $t_filter ) ) ?>" />
 				<input type="submit" name="reset_query_button" class="button-small" value="<?php echo lang_get( 'create_filter_link' ) ?>" />
 			</form>

diff --git a/core/string_api.php b/core/string_api.php
@@ -275,7 +275,9 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
 	}
 
 	# Start extracting regex matches
-	$t_script = $t_matches['script'];
+	# Encode backslashes to prevent unwanted escaping of a leading '/' allowing
+	# redirection to external sites
+	$t_script = strtr( $t_matches['script'], array( '\\' => '%5C' ) );
 	$t_script_path = $t_matches['path'];
 
 	# Clean/encode query params

diff --git a/permalink_page.php b/permalink_page.php
@@ -36,15 +36,19 @@
 require_once( 'core.php' );
 require_api( 'access_api.php' );
 require_api( 'config_api.php' );
+require_api( 'form_api.php' );
 require_api( 'gpc_api.php' );
 require_api( 'html_api.php' );
 require_api( 'lang_api.php' );
 require_api( 'print_api.php' );
 require_api( 'string_api.php' );
 require_api( 'utility_api.php' );
 
+form_security_validate( 'permalink' );
+
 html_page_top();
 
+
 access_ensure_project_level( config_get( 'create_permalink_threshold' ) );
 
 $f_url = string_sanitize_url( gpc_get_string( 'url' ) );
@@ -64,4 +68,5 @@
 ?>
 </div>
 <?php
+form_security_purge( 'permalink' );
 html_page_bottom();
diff --git a/tests/Mantis/StringTest.php b/tests/Mantis/StringTest.php
@@ -82,6 +82,7 @@ public function provider() {
 			array( 'plugin.php?page=Source/list&id=1#abc', 'plugin.php?page=Source%2Flist&id=1#abc'),
 			array( 'login_page.php?return=http://google.com/', 'index.php'),
 			array( 'javascript:alert(1);', 'index.php'),
+			array( '\/csrf-22702', '%5C/csrf-22702' ),
 		);
 
 		# @FIXME