Project

General

Profile

« Previous | Next » 

Revision 1833

Added by Dietmar almost 12 years ago

  1. security fix CRLF injection/HTTP response splitting

View differences:

login.php
70 70
$loginUrl  = WB_URL.'/account/login.php';
71 71
$loginUrl .= (!empty($redirect) ? '?redirect=' .$_SESSION['HTTP_REFERER'] : '');
72 72

  
73
$ThemeUrl  = WB_URL.$wb->correct_theme_source('warning.html');
73
$WarningUrl  = str_replace(WB_PATH,WB_URL,$wb->correct_theme_source('warning.html'));
74 74
// Setup template object, parse vars to it, then parse it
75 75
$ThemePath = realpath(WB_PATH.$wb->correct_theme_source('loginBox.htt'));
76 76

  
77 77
$thisApp = new Login(
78 78
				array(
79 79
						"MAX_ATTEMPS" => "3",
80
						"WARNING_URL" => $ThemeUrl."/warning.html",
80
						"WARNING_URL" => $WarningUrl,
81 81
						"USERNAME_FIELDNAME" => 'username',
82 82
						"PASSWORD_FIELDNAME" => 'password',
83 83
						"REMEMBER_ME_OPTION" => SMART_LOGIN,

Also available in: Unified diff