Fix URL redirection issue in login_page.php

dregad · dregad · commit d95f070db852 · 2015-01-10T23:25:54.000+01:00
The fix for issue #17648 failed to correct all cases of redirection. Alejo Popovici discovered that the regex checking for URLs pointing to other domains considered an URL with a single '/' as local, allowing redirection e.g. to http:/google.com on certain browsers. Fixes #17997 (CVE-2014-6316)
diff --git a/core/string_api.php b/core/string_api.php
@@ -252,8 +252,7 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
 
 	# Check for URL's pointing to other domains
 	if ( 0 == $t_type || empty( $t_matches['script'] ) ||
-		3 == $t_type && preg_match( '@(?:[^:]*)?://@', $t_url ) > 0 ) {
-
+		3 == $t_type && preg_match( '@(?:[^:]*)?:/*@', $t_url ) > 0 ) {
 		return ( $p_return_absolute ? $t_path . '/' : '' ) . 'index.php';
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -252,8 +252,7 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {`
`252`	`252`
`253`	`253`	`# Check for URL's pointing to other domains`
`254`	`254`	`if ( 0 == $t_type \|\| empty( $t_matches['script'] ) \|\|`
`255`		`- 3 == $t_type && preg_match( '@(?:[^:]*)?://@', $t_url ) > 0 ) {`
`256`		`-`
	`255`	`+ 3 == $t_type && preg_match( '@(?:[^:])?:/@', $t_url ) > 0 ) {`
`257`	`256`	`return ( $p_return_absolute ? $t_path . '/' : '' ) . 'index.php';`
`258`	`257`	`}`
`259`	`258`