Encode '\' in string_sanitize_url()

As an extra safety measure following up on the fix for CVE-2017-7620, we encode the backslashes in the 'script' part of the URL to ensure that the sanitized URL is treated as a path relative to MantisBT root and not a link to an external site if the URL begins with an escaped `/`. This reduces the risk of someone being able to use the same attack vector in another page. Fixes #22702, #22816
mantisbt · May 20, 2017 · f664409 · f664409
1 parent f21b56f
commit f664409
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/core/string_api.php b/core/string_api.php
@@ -275,7 +275,9 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
 	}
 
 	# Start extracting regex matches
-	$t_script = $t_matches['script'];
+	# Encode backslashes to prevent unwanted escaping of a leading '/' allowing
+	# redirection to external sites
+	$t_script = strtr( $t_matches['script'], array( '\\' => '%5C' ) );
 	$t_script_path = $t_matches['path'];
 
 	# Clean/encode query params