Skip to content
Permalink
Browse files

Fix insecure login redirection

Checking a leading '/' doesn't protect users from phishing because
protocol-relative URIs start with '//'.

Refs: #9410
  • Loading branch information...
chinpei215 committed Sep 30, 2016
1 parent 7c593cb commit 3f8274d3eeb6f8c3ddd7769af7e8c3913580d768
@@ -766,7 +766,7 @@ protected function _getUser()
public function redirectUrl($url = null)
{
$redirectUrl = $this->request->query(static::QUERY_STRING_REDIRECT);
if ($redirectUrl && (substr($redirectUrl, 0, 1) !== '/')) {
if ($redirectUrl && (substr($redirectUrl, 0, 1) !== '/' || substr($redirectUrl, 0, 2) === '//')) {
$redirectUrl = null;
}
@@ -1408,6 +1408,11 @@ public function testRedirectQueryStringInvalid()
$result = $this->Auth->redirectUrl();
$this->assertEquals('/users/home', $result);
$this->Auth->request->query = ['redirect' => '//some.domain.example/users/login'];
$result = $this->Auth->redirectUrl();
$this->assertEquals('/users/home', $result);
}
/**

0 comments on commit 3f8274d

Please sign in to comment.
You can’t perform that action at this time.