Revision 1834
Added by Luisehahne almost 13 years ago
- fixed redirect checking in class.login.php
| branches/2.8.x/CHANGELOG | ||
|---|---|---|
| 13 | 13 |
|
| 14 | 14 |
|
| 15 | 15 |
|
| 16 |
10 Dez-2012 Build 1834 Dietmar Woellbrink (Luisehahne) |
|
| 17 |
# fixed redirect checking in class.login.php |
|
| 16 | 18 |
10 Dez-2012 Build 1833 Dietmar Woellbrink (Luisehahne) |
| 17 | 19 |
# security fix CRLF injection/HTTP response splitting |
| 18 | 20 |
09 Dez-2012 Build 1832 Dietmar Woellbrink (Luisehahne) |
| branches/2.8.x/wb/admin/interface/version.php | ||
|---|---|---|
| 51 | 51 |
|
| 52 | 52 |
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) |
| 53 | 53 |
if(!defined('VERSION')) define('VERSION', '2.8.3');
|
| 54 |
if(!defined('REVISION')) define('REVISION', '1833');
|
|
| 54 |
if(!defined('REVISION')) define('REVISION', '1834');
|
|
| 55 | 55 |
if(!defined('SP')) define('SP', '');
|
| branches/2.8.x/wb/framework/class.login.php | ||
|---|---|---|
| 69 | 69 |
$this->password_len = strlen($this->password); |
| 70 | 70 |
} |
| 71 | 71 |
|
| 72 |
$aServerUrl = $this->mb_parse_url(WB_URL); |
|
| 73 |
|
|
| 72 | 74 |
$sServerUrl = $_SERVER['SERVER_NAME']; |
| 73 |
$sServerScheme = $_SERVER['REQUEST_SCHEME'];
|
|
| 75 |
$sServerScheme = isset($_SERVER['REQUEST_SCHEME']) ? $_SERVER['REQUEST_SCHEME'] : isset($aServerUrl['scheme']) ? $aServerUrl['scheme'] : ' http';
|
|
| 74 | 76 |
$sServerPath = $_SERVER['SCRIPT_NAME']; |
| 75 | 77 |
// If the url is blank, set it to the default url |
| 76 | 78 |
$this->url = $this->get_post('url');
|
| 77 |
$aUrl = parse_url( $this->url ); |
|
| 79 |
$aUrl = $this->mb_parse_url( $this->url );
|
|
| 78 | 80 |
$this->url = isset($aRedirecthUrl['host']) &&($sServerUrl==$aUrl['host']) ? $this->url:ADMIN_URL.'/start/index.php'; |
| 79 | 81 |
if ($this->redirect_url!='') {
|
| 80 |
$aRedirecthUrl = parse_url( $this->redirect_url ); |
|
| 82 |
$aRedirecthUrl = $this->mb_parse_url( $this->redirect_url );
|
|
| 81 | 83 |
$this->redirect_url = isset($aRedirecthUrl['host']) &&($sServerUrl==$aRedirecthUrl['host']) ? $this->redirect_url:$sServerScheme.'://'.$sServerUrl; |
| 82 | 84 |
$this->url = $this->redirect_url; |
| 83 | 85 |
} |
| 84 | 86 |
if(strlen($this->url) < 2) {
|
| 85 |
$aDefaultUrl = parse_url( $this->default_url ); |
|
| 87 |
$aDefaultUrl = $this->mb_parse_url( $this->default_url );
|
|
| 86 | 88 |
$this->default_url = isset($aDefaultUrl['host']) &&($sServerUrl==$aDefaultUrl['host']) ? $this->default_url:$sServerScheme.'://'.$sServerUrl; |
| 87 | 89 |
$this->url = $this->default_url; |
| 88 | 90 |
} |
| branches/2.8.x/wb/framework/class.wb.php | ||
|---|---|---|
| 79 | 79 |
} |
| 80 | 80 |
|
| 81 | 81 |
|
| 82 |
/** |
|
| 83 |
* Created parse_url utf-8 compatible function |
|
| 84 |
* |
|
| 85 |
* @param string $url The string to decode |
|
| 86 |
* @return array Associative array containing the different components |
|
| 87 |
* |
|
| 88 |
*/ |
|
| 89 |
public function mb_parse_url($url) {
|
|
| 90 |
$encodedUrl = preg_replace('%[^:/?#&=\.]+%usDe', 'urlencode(\'$0\')', $url);
|
|
| 91 |
$components = parse_url($encodedUrl); |
|
| 92 |
foreach ($components as &$component) |
|
| 93 |
$component = urldecode($component); |
|
| 94 |
return $components; |
|
| 95 |
} |
|
| 96 |
|
|
| 82 | 97 |
/* **************** |
| 83 | 98 |
* check if one or more group_ids are in both group_lists |
| 84 | 99 |
* |
Also available in: Unified diff