Skip to content

Commit e66ecc9

Browse files
committed
Fix URL redirection issue in login_page.php
When Mantis is installed at the web server's root, $g_short_path is set to '/'. string_sanitize_url() removes the trailing '/' from the short path, which causes the URL to be incorrectly categorized as "type 2", thus allowing cross-site redirection to occur. By making checking that the short path is not empty before setting URL as type 2, we ensure that we categorize it as type 3, which then forces the function's return value to 'index.php' Fixes #17648 (CVE-2014-6316)
1 parent 662bcd2 commit e66ecc9

File tree

1 file changed

+3
-1
lines changed

1 file changed

+3
-1
lines changed

Diff for: core/string_api.php

+3-1
Original file line numberDiff line numberDiff line change
@@ -242,7 +242,9 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
242242
$t_type = 0;
243243
if ( preg_match( '@^(?P<path>' . preg_quote( $t_path, '@' ) . ')' . $t_pattern . '$@', $t_url, $t_matches ) ) {
244244
$t_type = 1;
245-
} else if ( preg_match( '@^(?P<path>' . preg_quote( $t_short_path, '@' ) . ')' . $t_pattern . '$@', $t_url, $t_matches ) ) {
245+
} else if ( !empty( $t_short_path )
246+
&& preg_match( '@^(?P<path>' . preg_quote( $t_short_path, '@' ) . ')' . $t_pattern . '$@', $t_url, $t_matches )
247+
) {
246248
$t_type = 2;
247249
} else if ( preg_match( '@^(?P<path>)' . $t_pattern . '$@', $t_url, $t_matches ) ) {
248250
$t_type = 3;

0 commit comments

Comments
 (0)