Skip to content
Browse files

BUGFIX Less strict checks for relative URL normalization in SS_HTTPRe…

…quest (regression from recent security fixes to Director::is_absolute_url()) (fixes #7359)
  • Loading branch information...
1 parent 18fa9cd commit fedb337aa50770e5605a8fe772570f5905be6bbe @chillu chillu committed May 20, 2012
Showing with 3 additions and 2 deletions.
  1. +3 −2 control/HTTPRequest.php
View
5 control/HTTPRequest.php
@@ -90,8 +90,9 @@ class SS_HTTPRequest implements ArrayAccess {
function __construct($httpMethod, $url, $getVars = array(), $postVars = array(), $body = null) {
$this->httpMethod = strtoupper(self::detect_method($httpMethod, $postVars));
$this->url = $url;
-
- if(Director::is_relative_url($url)) {
+
+ // Normalize URL if its relative (strictly speaking), or has leading slashes
+ if(Director::is_relative_url($url) || preg_match('/^\//', $url)) {
$this->url = preg_replace(array('/\/+/','/^\//', '/\/$/'),array('/','',''), $this->url);
}
if(preg_match('/^(.*)\.([A-Za-z][A-Za-z0-9]*)$/', $this->url, $matches)) {

0 comments on commit fedb337

Please sign in to comment.
Something went wrong with that request. Please try again.