Permalink
Browse files

Fix CSRF vulnerability in permalink_page.php

John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org
reported a CSRF vulnerability in permalink_page.php, allowing an
attacker to inject arbitrary links (CVE-2017-7620).

Backporting from master branch:
- Add form security token to prevent such injection (code changed from
  original commit) 0d11077d40c5dfdb76efdad9ba2b455af5be25a0
- Encode '\' in string_sanitize_url()
  7b23377c573817c5fe8b522e8c33de8b1caff179

Fixes #22702, #22816
  • Loading branch information...
dregad committed May 19, 2017
1 parent b933abc commit c4f50e5df6b189abb1d717a5f7dbab5cbfef8165
Showing with 12 additions and 2 deletions.
  1. +3 −1 core/filter_api.php
  2. +3 −1 core/string_api.php
  3. +5 −0 permalink_page.php
  4. +1 −0 tests/Mantis/StringTest.php
View
@@ -3615,7 +3615,9 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
if( access_has_project_level( config_get( 'create_permalink_threshold' ) ) ) {
?>
<form method="get" action="permalink_page.php">
<?php # CSRF protection not required here - form does not result in modifications ?>
<?php # Add CSRF protection, see #22702
echo form_security_field( 'permalink' );
?>
<input type="hidden" name="url" value="<?php echo urlencode( filter_get_url( $t_filter ) ) ?>" />
<input type="submit" name="reset_query_button" class="button-small" value="<?php echo lang_get( 'create_filter_link' ) ?>" />
</form>
View
@@ -275,7 +275,9 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
}
# Start extracting regex matches
$t_script = $t_matches['script'];
# Encode backslashes to prevent unwanted escaping of a leading '/' allowing
# redirection to external sites
$t_script = strtr( $t_matches['script'], array( '\\' => '%5C' ) );
$t_script_path = $t_matches['path'];
# Clean/encode query params
View
@@ -36,15 +36,19 @@
require_once( 'core.php' );
require_api( 'access_api.php' );
require_api( 'config_api.php' );
require_api( 'form_api.php' );
require_api( 'gpc_api.php' );
require_api( 'html_api.php' );
require_api( 'lang_api.php' );
require_api( 'print_api.php' );
require_api( 'string_api.php' );
require_api( 'utility_api.php' );
form_security_validate( 'permalink' );
html_page_top();
access_ensure_project_level( config_get( 'create_permalink_threshold' ) );
$f_url = string_sanitize_url( gpc_get_string( 'url' ) );
@@ -64,4 +68,5 @@
?>
</div>
<?php
form_security_purge( 'permalink' );
html_page_bottom();
@@ -82,6 +82,7 @@ public function provider() {
array( 'plugin.php?page=Source/list&id=1#abc', 'plugin.php?page=Source%2Flist&id=1#abc'),
array( 'login_page.php?return=http://google.com/', 'index.php'),
array( 'javascript:alert(1);', 'index.php'),
array( '\/csrf-22702', '%5C/csrf-22702' ),
);
# @FIXME

0 comments on commit c4f50e5

Please sign in to comment.