Permalink
Browse files

[455] Security: prevent code execution after user redirect by header(…

…Location: ); function. Disable directories listing in .htaccess file.
  • Loading branch information...
1 parent fd7a832 commit d2f61d1c863d54d7ad691d8d0023e8468672dbc3 @Shadez committed Jan 17, 2011
View
@@ -3,7 +3,7 @@
/**
* @package World of Warcraft Armory
* @version Release 4.50
- * @revision 450
+ * @revision 455
* @copyright (c) 2009-2011 Shadez
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
*
@@ -28,6 +28,7 @@
}
if(!isset($_SESSION['username'])) {
header('Location: index.xml?login=1');
+ exit;
}
if(isset($_GET['action']) && isset($_GET['r']) && isset($_GET['cn'])) {
$name = $utils->escape($_GET['cn']);
View
@@ -3,7 +3,7 @@
/**
* @package World of Warcraft Armory
* @version Release 4.50
- * @revision 450
+ * @revision 455
* @copyright (c) 2009-2011 Shadez
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
*
@@ -30,6 +30,7 @@
}
if(!isset($_SESSION['username'])) {
header('Location: login.xml?ref=character-select.xml');
+ exit;
}
header('Content-type: text/xml');
// Load XSLT template
View
@@ -3,7 +3,7 @@
/**
* @package World of Warcraft Armory
* @version Release 4.50
- * @revision 450
+ * @revision 455
* @copyright (c) 2009-2011 Shadez
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
*
@@ -23,5 +23,5 @@
**/
header('Location: index.xml');
-
- ?>
+exit;
+?>
View
@@ -3,7 +3,7 @@
/**
* @package World of Warcraft Armory
* @version Release 4.50
- * @revision 450
+ * @revision 455
* @copyright (c) 2009-2011 Shadez
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
*
@@ -53,6 +53,7 @@
}
if(!isset($_SESSION['accountId'])) {
header('Location: login.xml?ref=' . urlencode(sprintf('guild-bank-contents.xml?r=%s&gn=%s', Armory::$currentRealmInfo['name'], $guilds->guildName)));
+ exit;
}
elseif(!$utils->IsAllowedToGuildBank($guilds->guildId, Armory::$currentRealmInfo['id'])) {
// Load XSLT template
View
@@ -3,7 +3,7 @@
/**
* @package World of Warcraft Armory
* @version Release 4.50
- * @revision 450
+ * @revision 455
* @copyright (c) 2009-2011 Shadez
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
*
@@ -52,6 +52,7 @@
}
if(!isset($_SESSION['accountId'])) {
header('Location: login.xml?ref=' . urlencode(sprintf('guild-bank-log.xml?r=%s&gn=%s', Armory::$currentRealmInfo['name'], $guilds->guildName)));
+ exit;
}
elseif(!$utils->IsAllowedToGuildBank($guilds->guildId, Armory::$currentRealmInfo['id'])) {
// Load XSLT template
View
Binary file not shown.
@@ -3,7 +3,7 @@
/**
* @package World of Warcraft Armory
* @version Release 4.50
- * @revision 450
+ * @revision 455
* @copyright (c) 2009-2011 Shadez
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
*
@@ -97,6 +97,7 @@
/* Check maintenance */
if(Armory::$armoryconfig['maintenance'] == true && !defined('MAINTENANCE_PAGE')) {
header('Location: maintenance.xml');
+ exit;
}
if(!@include(__ARMORYDIRECTORY__ . '/includes/UpdateFields.php')) {
die('<b>Error:</b> unable to load UpdateFields.php!');
@@ -123,29 +124,34 @@
$sess_count = $utils->GetSessionsCount();
if($sess_count >= Armory::$armoryconfig['maxSessionCount'] && !$utils->IsCorrectSession() && !defined('LIMIT_PAGE')) {
header('Location: limit.xml');
+ exit;
}
elseif($sess_count < Armory::$armoryconfig['maxSessionCount'] && !$utils->IsCorrectSession()) {
// we can create session
$utils->CreateNewSession();
if(defined('LIMIT_PAGE')) {
header('Location: index.xml');
+ exit;
}
}
elseif($sess_count < Armory::$armoryconfig['maxSessionCount'] && $utils->IsCorrectSession()) {
// just update
$utils->UpdateSession();
if(defined('LIMIT_PAGE')) {
header('Location: index.xml');
+ exit;
}
}
*/
}
/** Login **/
if(isset($_GET['login']) && $_GET['login'] == 1) {
header('Location: login.xml');
+ exit;
}
elseif(isset($_GET['logout']) && $_GET['logout'] == 1) {
header('Location: login.xml?logoff');
+ exit;
}
/** Locale change **/
@@ -199,6 +205,7 @@
$returnUrl = $_SESSION['last_url'];
}
header('Location: ' . $returnUrl);
+ exit;
}
$_locale = (isset($_SESSION['armoryLocale'])) ? $_SESSION['armoryLocale'] : Armory::GetLocale();
if(defined('load_characters_class')) {
View
@@ -1,5 +1,5 @@
<?php
-define('ARMORY_REVISION', 454);
+define('ARMORY_REVISION', 455);
define('DB_VERSION', 'armory_r434');
define('CONFIG_VERSION', '2812201001');
?>
View
@@ -3,7 +3,7 @@
/**
* @package World of Warcraft Armory
* @version Release 4.50
- * @revision 450
+ * @revision 455
* @copyright (c) 2009-2011 Shadez
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
*
@@ -49,9 +49,11 @@
else {
if(!isset($_GET['ref'])) {
header('Location: index.xml');
+ exit;
}
else {
header('Location: ' . $_GET['ref']);
+ exit;
}
}
}
@@ -64,9 +66,11 @@
elseif(isset($_SESSION['accountId'])) {
if(isset($_GET['ref'])) {
header('Location: ' . $_GET['ref']);
+ exit;
}
else {
header('Location: index.xml');
+ exit;
}
}
$xml->LoadXSLT('login.xsl');
View
@@ -2,8 +2,8 @@
/**
* @package World of Warcraft Armory
- * @version Release Candidate 1
- * @revision 440
+ * @version Release 4.50
+ * @revision 450
* @copyright (c) 2009-2011 Shadez
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
*

0 comments on commit d2f61d1

Please sign in to comment.