Permalink
Browse files

Encode '\' in string_sanitize_url()

As an extra safety measure following up on the fix for CVE-2017-7620, we
encode the backslashes in the 'script' part of the URL to ensure that
the sanitized URL is treated as a path relative to MantisBT root and not
a link to an external site if the URL begins with an escaped `/`.

This reduces the risk of someone being able to use the same attack
vector in another page.

Fixes #22702, #22816
  • Loading branch information...
dregad committed May 13, 2017
1 parent f21b56f commit f66440902877103f312905257dbccdad02ab5a3b
Showing with 3 additions and 1 deletion.
  1. +3 −1 core/string_api.php
View
@@ -275,7 +275,9 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
}
# Start extracting regex matches
$t_script = $t_matches['script'];
# Encode backslashes to prevent unwanted escaping of a leading '/' allowing
# redirection to external sites
$t_script = strtr( $t_matches['script'], array( '\\' => '%5C' ) );
$t_script_path = $t_matches['path'];
# Clean/encode query params

0 comments on commit f664409

Please sign in to comment.