Permalink
Browse files

Fix CSRF vulnerability in permalink_page.php

John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org
reported a CSRF vulnerability in permalink_page.php, allowing an
attacker to inject arbitrary links (CVE-2017-7620).

Backporting from master branch:
- Add form security token to prevent such injection
  0d11077d40c5dfdb76efdad9ba2b455af5be25a0
- Encode '\' in string_sanitize_url()
  7b23377c573817c5fe8b522e8c33de8b1caff179

Fixes #22702, #22816
  • Loading branch information...
dregad committed May 19, 2017
1 parent a64a0d2 commit 2d2309a384bcd9d4b6d7d2928e8ded2c46d2d7b0
Showing with 12 additions and 2 deletions.
  1. +4 −1 core/filter_api.php
  2. +3 −1 core/string_api.php
  3. +4 −0 permalink_page.php
  4. +1 −0 tests/Mantis/StringTest.php
View
@@ -2451,8 +2451,11 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
filter_print_view_type_toggle( $t_url, $t_filter['_view_type'] );
if( access_has_project_level( config_get( 'create_permalink_threshold' ) ) ) {
# Add CSRF protection, see #22702
$t_permalink_url = urlencode( filter_get_url( $t_filter ) )
. form_security_param( 'permalink' );
echo '<li>';
echo '<a href="permalink_page.php?url=' . urlencode( filter_get_url( $t_filter ) ) . '">';
echo '<a href="permalink_page.php?url=' . $t_permalink_url . '">';
echo '<i class="ace-icon fa fa-link"></i>&#160;&#160;' . lang_get( 'create_filter_link' );
echo '</a>';
echo '</li>';
View
@@ -275,7 +275,9 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
}
# Start extracting regex matches
$t_script = $t_matches['script'];
# Encode backslashes to prevent unwanted escaping of a leading '/' allowing
# redirection to external sites
$t_script = strtr( $t_matches['script'], array( '\\' => '%5C' ) );
$t_script_path = $t_matches['path'];
# Clean/encode query params
View
@@ -36,13 +36,16 @@
require_once( 'core.php' );
require_api( 'access_api.php' );
require_api( 'config_api.php' );
require_api( 'form_api.php' );
require_api( 'gpc_api.php' );
require_api( 'html_api.php' );
require_api( 'lang_api.php' );
require_api( 'print_api.php' );
require_api( 'string_api.php' );
require_api( 'utility_api.php' );
form_security_validate( 'permalink' );
layout_page_header();
layout_page_begin();
@@ -75,4 +78,5 @@
?>
</div>
<?php
form_security_purge( 'permalink' );
layout_page_end();
@@ -82,6 +82,7 @@ public function provider() {
array( 'plugin.php?page=Source/list&id=1#abc', 'plugin.php?page=Source%2Flist&id=1#abc'),
array( 'login_page.php?return=http://google.com/', 'index.php'),
array( 'javascript:alert(1);', 'index.php'),
array( '\/csrf-22702', '%5C/csrf-22702' ),
);
# @FIXME

0 comments on commit 2d2309a

Please sign in to comment.