Fix a number of open redirect vulnerabilities.

horde · Jul 3, 2017 · 5edc5e1 · 5edc5e1
1 parent 9370753
commit 5edc5e1
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 7 deletions.
diff --git a/lib/View/StoryDelete.php b/lib/View/StoryDelete.php
@@ -68,16 +68,13 @@ public function run()
                     $delete = $driver->deleteStory($info['channel_id'], $info['id']);
                     $notification->push(_("The story has been deleted."), 'horde.success');
                     Horde::url('stories/index.php', true)->add('channel_id', $channel_id)->setRaw(true)->redirect();
-                    exit;
                 } catch (Exception $e) {
                     $notification->push(sprintf(_("There was an error deleting the story: %s"), $e->getMessage()), 'horde.error');
                 }
             }
         } elseif (!empty($form_submit)) {
             $notification->push(_("Story has not been deleted."), 'horde.message');
-            $url = Horde::url('stories/index.php', true)->add('channel_id', $channel_id)->setRaw(true);
             Horde::url('stories/index.php', true)->add('channel_id', $channel_id)->setRaw(true)->redirect();
-            exit;
         }
 
         $GLOBALS['page_output']->header(array(

diff --git a/lib/View/StoryEdit.php b/lib/View/StoryEdit.php
@@ -38,7 +38,6 @@ public function run()
         } catch (Exception $e) {
             $notification->push(sprintf(_("Story editing failed: %s"), $e->getMessage()), 'horde.error');
             Horde::url('channels/index.php', true)->redirect();
-            exit;
         }
 
         /* Check permissions. */
@@ -64,7 +63,6 @@ public function run()
                 $result = $driver->saveStory($info);
                 $notification->push(sprintf(_("The story \"%s\" has been saved."), $info['title']), 'horde.success');
                 Horde::url('stories/index.php')->add('channel_id', $channel_id)->redirect();
-                exit;
             } catch (Exception $e) {
                 $notification->push(sprintf(_("There was an error saving the story: %s"), $e->getMessage()), 'horde.error');
             }

diff --git a/lib/View/StoryList.php b/lib/View/StoryList.php
@@ -34,9 +34,10 @@ public function run()
         }
 
         /* Check if a URL has been passed. */
-        $url = Horde_Util::getFormData('url');
-        if ($url) {
+        if ($url = Horde::verifySignedUrl(Horde_Util::getFormData('url'))) {
             $url = new Horde_Url($url);
+        } else {
+            $url = null;
         }
 
         try {