Fix a number of open redirect vulnerabilities.

horde · Jul 3, 2017 · a0bc004 · a0bc004
1 parent cd10068
commit a0bc004
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 4 deletions.
diff --git a/docs/CHANGES b/docs/CHANGES
@@ -2,6 +2,7 @@
 v3.0.11-git
 -----------
 
+[jan] SECURITY: Fix open redirects.
 [jan] Fix decoding serialized attributes loaded from the backend.
 [jan] Don't allow to add unsported image attributes (Bug #14659).
 [jan] Fix deleting attributes from ticket types (Bug 14111).

diff --git a/mybugs_edit.php b/mybugs_edit.php
@@ -23,8 +23,8 @@
                 (int)Horde_Util::getFormData('col'));
 if ($layout->updated()) {
     $prefs->setValue('mybugs_layout', $layout->serialize());
-    if (Horde_Util::getFormData('url')) {
-        $url = new Horde_Url(Horde_Util::getFormData('url'));
+    if ($url = Horde::verifySignedUrl(Horde_Util::getFormData('url'))) {
+        $url = new Horde_Url($url);
         $url->unique()->redirect();
     }
 }

diff --git a/package.xml b/package.xml
@@ -27,6 +27,7 @@
  </stability>
  <license uri="http://www.horde.org/licenses/bsdl.php">BSD-2-Clause</license>
  <notes>
+* [jan] SECURITY: Fix open redirects.
 * [jan] Fix decoding serialized attributes loaded from the backend.
 * [jan] Don&apos;t allow to add unsported image attributes (Bug #14659).
 * [jan] Fix deleting attributes from ticket types (Bug 14111).
@@ -516,7 +517,7 @@
    <package>
     <name>Horde_Core</name>
     <channel>pear.horde.org</channel>
-    <min>2.0.0</min>
+    <min>2.30.0</min>
     <max>3.0.0alpha1</max>
     <exclude>3.0.0alpha1</exclude>
    </package>
@@ -1261,6 +1262,7 @@
    <date>2017-06-23</date>
    <license uri="http://www.horde.org/licenses/bsdl.php">BSD-2-Clause</license>
    <notes>
+* [jan] SECURITY: Fix open redirects.
 * [jan] Fix decoding serialized attributes loaded from the backend.
 * [jan] Don&apos;t allow to add unsported image attributes (Bug #14659).
 * [jan] Fix deleting attributes from ticket types (Bug 14111).

diff --git a/view.php b/view.php
@@ -24,7 +24,7 @@
 } catch (Horde_Exception_PermissionDenied $e) {
     // No permissions to this ticket.
     Horde::url($registry->get('webroot', 'horde') . '/login.php', true)
-        ->add('url', Horde::selfUrl(true))
+        ->add('url', Horde::signUrl(Horde::selfUrl(true)))
         ->redirect();
 }