Revision 1834
Added by Dietmar almost 12 years ago
- fixed redirect checking in class.login.php
branches/2.8.x/CHANGELOG | ||
---|---|---|
13 | 13 |
|
14 | 14 |
|
15 | 15 |
|
16 |
10 Dez-2012 Build 1834 Dietmar Woellbrink (Luisehahne) |
|
17 |
# fixed redirect checking in class.login.php |
|
16 | 18 |
10 Dez-2012 Build 1833 Dietmar Woellbrink (Luisehahne) |
17 | 19 |
# security fix CRLF injection/HTTP response splitting |
18 | 20 |
09 Dez-2012 Build 1832 Dietmar Woellbrink (Luisehahne) |
branches/2.8.x/wb/admin/interface/version.php | ||
---|---|---|
51 | 51 |
|
52 | 52 |
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) |
53 | 53 |
if(!defined('VERSION')) define('VERSION', '2.8.3'); |
54 |
if(!defined('REVISION')) define('REVISION', '1833');
|
|
54 |
if(!defined('REVISION')) define('REVISION', '1834');
|
|
55 | 55 |
if(!defined('SP')) define('SP', ''); |
branches/2.8.x/wb/framework/class.login.php | ||
---|---|---|
69 | 69 |
$this->password_len = strlen($this->password); |
70 | 70 |
} |
71 | 71 |
|
72 |
$aServerUrl = $this->mb_parse_url(WB_URL); |
|
73 |
|
|
72 | 74 |
$sServerUrl = $_SERVER['SERVER_NAME']; |
73 |
$sServerScheme = $_SERVER['REQUEST_SCHEME'];
|
|
75 |
$sServerScheme = isset($_SERVER['REQUEST_SCHEME']) ? $_SERVER['REQUEST_SCHEME'] : isset($aServerUrl['scheme']) ? $aServerUrl['scheme'] : ' http';
|
|
74 | 76 |
$sServerPath = $_SERVER['SCRIPT_NAME']; |
75 | 77 |
// If the url is blank, set it to the default url |
76 | 78 |
$this->url = $this->get_post('url'); |
77 |
$aUrl = parse_url( $this->url ); |
|
79 |
$aUrl = $this->mb_parse_url( $this->url );
|
|
78 | 80 |
$this->url = isset($aRedirecthUrl['host']) &&($sServerUrl==$aUrl['host']) ? $this->url:ADMIN_URL.'/start/index.php'; |
79 | 81 |
if ($this->redirect_url!='') { |
80 |
$aRedirecthUrl = parse_url( $this->redirect_url ); |
|
82 |
$aRedirecthUrl = $this->mb_parse_url( $this->redirect_url );
|
|
81 | 83 |
$this->redirect_url = isset($aRedirecthUrl['host']) &&($sServerUrl==$aRedirecthUrl['host']) ? $this->redirect_url:$sServerScheme.'://'.$sServerUrl; |
82 | 84 |
$this->url = $this->redirect_url; |
83 | 85 |
} |
84 | 86 |
if(strlen($this->url) < 2) { |
85 |
$aDefaultUrl = parse_url( $this->default_url ); |
|
87 |
$aDefaultUrl = $this->mb_parse_url( $this->default_url );
|
|
86 | 88 |
$this->default_url = isset($aDefaultUrl['host']) &&($sServerUrl==$aDefaultUrl['host']) ? $this->default_url:$sServerScheme.'://'.$sServerUrl; |
87 | 89 |
$this->url = $this->default_url; |
88 | 90 |
} |
branches/2.8.x/wb/framework/class.wb.php | ||
---|---|---|
79 | 79 |
} |
80 | 80 |
|
81 | 81 |
|
82 |
/** |
|
83 |
* Created parse_url utf-8 compatible function |
|
84 |
* |
|
85 |
* @param string $url The string to decode |
|
86 |
* @return array Associative array containing the different components |
|
87 |
* |
|
88 |
*/ |
|
89 |
public function mb_parse_url($url) { |
|
90 |
$encodedUrl = preg_replace('%[^:/?#&=\.]+%usDe', 'urlencode(\'$0\')', $url); |
|
91 |
$components = parse_url($encodedUrl); |
|
92 |
foreach ($components as &$component) |
|
93 |
$component = urldecode($component); |
|
94 |
return $components; |
|
95 |
} |
|
96 |
|
|
82 | 97 |
/* **************** |
83 | 98 |
* check if one or more group_ids are in both group_lists |
84 | 99 |
* |
Also available in: Unified diff