Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-48vj-vvr6-jj4f
The url must be tested before used as a button link
  • Loading branch information
PierreRambaud committed Apr 15, 2020
2 parents fcd799e + 0d649bc commit 06b7765
Showing 1 changed file with 12 additions and 3 deletions.
15 changes: 12 additions & 3 deletions src/PrestaShopBundle/Controller/Admin/SecurityController.php
Expand Up @@ -28,6 +28,7 @@

use PrestaShopBundle\Service\Routing\Router as PrestaShopRouter;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Validator\Constraints as Assert;

/**
* Admin controller to manage security pages.
Expand All @@ -37,6 +38,11 @@ class SecurityController extends FrameworkBundleAdminController
public function compromisedAccessAction(Request $request)
{
$requestUri = urldecode($request->query->get('uri'));
$url = new Assert\Url();
$violations = $this->get('validator')->validate($requestUri, [$url]);
if ($violations->count()) {
return $this->redirect('dashboard');
}

// getToken() actually generate a new token
$username = $this->get('prestashop.user_provider')->getUsername();
Expand All @@ -47,8 +53,11 @@ public function compromisedAccessAction(Request $request)

$newUri = PrestaShopRouter::generateTokenizedUrl($requestUri, $newToken);

return $this->render('@PrestaShop/Admin/Security/compromised.html.twig', array(
'requestUri' => $newUri,
));
return $this->render(
'@PrestaShop/Admin/Security/compromised.html.twig',
array(
'requestUri' => $newUri,
)
);
}
}

0 comments on commit 06b7765

Please sign in to comment.