Skip to content
Permalink
Browse files
prevent redirect feature to redirect outside of glpi
  • Loading branch information
orthagh authored and trasher committed May 5, 2020
1 parent 039c184 commit 5a74983b5f26932e8b8b736dafa7d6d963a25e0d
Showing 1 changed file with 8 additions and 4 deletions.
@@ -1811,8 +1811,10 @@ static function manageRedirect($where) {
if (!empty($where)) {

if (Session::getCurrentInterface()) {
$decoded_where = rawurldecode($where);
// redirect to URL : URL must be rawurlencoded
$decoded_where = rawurldecode($where);

// redirect to full url -> check if it's based on glpi url
if (preg_match('@(([^:/].+:)?//[^/]+)(/.+)?@', $decoded_where, $matches)) {
if ($matches[1] !== $CFG_GLPI['url_base']) {
Session::addMessageAfterRedirect('Redirection failed');
@@ -1825,10 +1827,12 @@ static function manageRedirect($where) {
Html::redirect($decoded_where);
}
}
// Redirect based on GLPI_ROOT : URL must be rawurlencoded

// Redirect to relative url -> redirect with glpi url to prevent exploits
if ($decoded_where[0] == '/') {
// echo $decoded_where;exit();
Html::redirect($CFG_GLPI["root_doc"].$decoded_where);
$redirect_to = $CFG_GLPI["url_base"].$decoded_where;
//echo $redirect_to; exit();
Html::redirect($redirect_to);
}

$data = explode("_", $where);

0 comments on commit 5a74983

Please sign in to comment.