Skip to content

Commit 83010fb

Browse files
testlinkDevTeamtestlinkDevTeam
committed
security Improvements - user advice
1 parent 9d53143 commit 83010fb

File tree

1 file changed

+56
-1
lines changed

1 file changed

+56
-1
lines changed

login.php

Lines changed: 56 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -384,7 +384,47 @@ function authorizePostProcessing($argsObj,$op) {
384384
echo json_encode(array('success' => true));
385385
} else {
386386
// If destination param is set redirect to given page ...
387-
if (!empty($argsObj->destination) && preg_match("/linkto.php/", $argsObj->destination)) {
387+
if ( !empty($argsObj->destination) ) {
388+
389+
// 1) remove host.port from TL_BASE_HREF -> base_folder
390+
// https://hsgdshdjs:80/bsbsbb
391+
// http://fjljfld:8080/Hhhhs
392+
// http://hjhsjdhshdk/
393+
$baseURL = str_replace('://',':',TL_BASE_HREF);
394+
$basePieces = explode(':',TL_BASE_HREF);
395+
$howManyPieces = count($basePieces);
396+
switch ($howManyPieces) {
397+
case 2:
398+
case 3:
399+
break;
400+
default:
401+
echo 'Security Check Failure';
402+
die();
403+
break;
404+
}
405+
406+
// http: hjhsjdhshdk/
407+
// http: hjhsjdhshdk/base_folder
408+
// https: hsgdshdjs: >> 80/bsbsbb
409+
// http: fjljfld: >> 8080/Hhhhs
410+
$dummy = explode('/',$basePieces[$howManyPieces-1]);
411+
$baseFolder = '/';
412+
$compo = trim($dummy[1]);
413+
if ($compo != '') {
414+
$baseFolder .= $compo . '/';
415+
}
416+
417+
// 2) check base_folder/linkto.php
418+
$where = strpos($argsObj->destination, $baseFolder . 'linkto.php');
419+
$checkOK = ($where !== false) && ($where == 0);
420+
if ($checkOK == false) {
421+
echo 'Security Check Failure';
422+
die();
423+
}
424+
425+
// 3) validate content after linkto.php?
426+
$dummy = explode($baseFolder . 'linkto.php?');
427+
$afterLinkTo = $baseFolder . 'linkto.php?' . cleanInput($dummy[1]);
388428
redirect($argsObj->destination);
389429
} else {
390430
// ... or show main page
@@ -429,3 +469,18 @@ function processAjaxCheck(&$dbHandler) {
429469
'timeout_info' => lang_get('timeout_info')));
430470

431471
}
472+
473+
474+
// from https://css-tricks.com/snippets/php/sanitize-database-inputs/
475+
function cleanInput($input) {
476+
477+
$search = array(
478+
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
479+
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
480+
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
481+
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments
482+
);
483+
484+
$output = preg_replace($search, '', $input);
485+
return $output;
486+
}

0 commit comments

Comments
 (0)