-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Open redirect with trailing slash redirect #3134
Comments
Seems to be non-issue in Grav 1.7. |
@mahagr Any plans to fix the security issue? Otherwise https://github.com/getgrav/grav/blob/develop/SECURITY.md must be updated. |
@Rotzbua this is out of curiosity, are you actually unable to update to 1.7? If so, mind sharing the reasons? Trying to evaluate if this might actually be a possibility |
I currently evaluate the upgrate to 1.7 . But |
That's why I was asking. We still want to have security fixes ported to 1.6, like the one you asked about, however I am thinking we shouldn't advertise support for 1.6 in that SECURITY.md file. Mainly the problem is that on 1.6 all you can do is patch. We don't have, currently, an infrastructure that lets you update to the latest 1.6, you can only ever update to the latest stable version (1.7) or manually install the 1.6 package downloaded from GitHub. The only reason one would decide to stick to 1.6 is mainly PHP version restrictions on the server hosting, otherwise we do advise to update to 1.7 always. FYI, we are investigating the issue and i updated the SECURITY.md with the above. |
👍 FYI: my upgrade from 1.6.31 to 1.7.7 was without any problems. Thanks for your great work. |
Environment
grav version: v1.6.31 - Admin v1.9.19
php: 7.4 and 7.2 tested
Problem
If grav is on root folder on a domain it seems there is a open redirect.
Fist analysis
Origin of the problem seems to be the redirect by setting
Redirect trailing slash
on.Examples
Open redirect if on root folder:
https://yourdomain.example/%252f%255cwelovetoexploit%252fa%253fb/
Response header (short):
It redirects to:
welovetoexploit/a?b
Less(?) a problem if in subfolder:
https://yourdomain.example/gravsubfolder/%252f%255cwelovetoexploit%252fa%253fb/
Response header (short):
Current version 1.7 seems to be fixed example:
https://getgrav.org/%252f%255cwelovetoexploit%252fa%253fb/
Reference
The text was updated successfully, but these errors were encountered: