Fix: unvalidated redirect

fisharebest · Sep 29, 2021 · 551ad4a · 551ad4a
1 parent e3ca0f8
commit 551ad4a
Show file tree

Hide file tree

Showing 12 changed files with 40 additions and 15 deletions.
diff --git a/app/Http/RequestHandlers/AddChildToFamilyAction.php b/app/Http/RequestHandlers/AddChildToFamilyAction.php
@@ -20,8 +20,6 @@
 namespace Fisharebest\Webtrees\Http\RequestHandlers;
 
 use Fisharebest\Webtrees\Auth;
-use Fisharebest\Webtrees\Date;
-use Fisharebest\Webtrees\Individual;
 use Fisharebest\Webtrees\Registry;
 use Fisharebest\Webtrees\Services\GedcomEditService;
 use Fisharebest\Webtrees\Tree;
@@ -79,6 +77,9 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         // Link the child to the family
         $family->createFact('1 CHIL @' . $child->xref() . '@', false);
 
-        return redirect($params['url'] ?? $child->url());
+        $base_url = $request->getAttribute('base_url');
+        $url      = str_starts_with($params['url'], $base_url) ? $params['url'] : $child->url();
+
+        return redirect($url);
     }
 }
diff --git a/app/Http/RequestHandlers/AddChildToIndividualAction.php b/app/Http/RequestHandlers/AddChildToIndividualAction.php
@@ -85,6 +85,9 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         // Link the child to the family
         $child->createFact('1 FAMC @' . $family->xref() . '@', false);
 
-        return redirect($params['url'] ?? $child->url());
+        $base_url = $request->getAttribute('base_url');
+        $url      = str_starts_with($params['url'], $base_url) ? $params['url'] : $child->url();
+
+        return redirect($url);
     }
 }
diff --git a/app/Http/RequestHandlers/AddParentToIndividualAction.php b/app/Http/RequestHandlers/AddParentToIndividualAction.php
@@ -85,6 +85,9 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         // Link the parent to the family
         $parent->createFact('1 FAMS @' . $family->xref() . '@', false);
 
-        return redirect($params['url'] ?? $parent->url());
+        $base_url = $request->getAttribute('base_url');
+        $url      = str_starts_with($params['url'], $base_url) ? $params['url'] : $parent->url();
+
+        return redirect($url);
     }
 }
diff --git a/app/Http/RequestHandlers/AddSpouseToFamilyAction.php b/app/Http/RequestHandlers/AddSpouseToFamilyAction.php
@@ -94,6 +94,9 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         // Link the spouse to the family
         $family->createFact('1 ' . $link . ' @' . $spouse->xref() . '@', false);
 
-        return redirect($params['url'] ?? $spouse->url());
+        $base_url = $request->getAttribute('base_url');
+        $url      = str_starts_with($params['url'], $base_url) ? $params['url'] : $spouse->url();
+
+        return redirect($url);
     }
 }
diff --git a/app/Http/RequestHandlers/AddSpouseToIndividualAction.php b/app/Http/RequestHandlers/AddSpouseToIndividualAction.php
@@ -88,6 +88,9 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         // Link the spouse to the family
         $spouse->createFact('1 FAMS @' . $family->xref() . '@', false);
 
-        return redirect($params['url'] ?? $spouse->url());
+        $base_url = $request->getAttribute('base_url');
+        $url      = str_starts_with($params['url'], $base_url) ? $params['url'] : $spouse->url();
+
+        return redirect($url);
     }
 }
diff --git a/app/Http/RequestHandlers/AddUnlinkedAction.php b/app/Http/RequestHandlers/AddUnlinkedAction.php
@@ -65,6 +65,9 @@ public function handle(ServerRequestInterface $request): ResponseInterface
 
         $individual = $tree->createIndividual("0 @@ INDI\n" . $gedcom);
 
-        return redirect($params['url'] ?? $individual->url());
+        $base_url = $request->getAttribute('base_url');
+        $url      = str_starts_with($params['url'], $base_url) ? $params['url'] : $individual->url();
+
+        return redirect($url);
     }
 }
diff --git a/app/Http/RequestHandlers/ContactAction.php b/app/Http/RequestHandlers/ContactAction.php
@@ -142,7 +142,7 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         if ($this->message_service->deliverMessage($sender, $to_user, $subject, $body, $url, $ip)) {
             FlashMessages::addMessage(I18N::translate('The message was successfully sent to %s.', e($to_user->realName())), 'success');
 
-            $url = $url ?: route(TreePage::class, ['tree' => $tree->name()]);
+            $url = str_starts_with($url, $base_url) ? $url : route(TreePage::class, ['tree' => $tree->name()]);
 
             return redirect($url);
         }

diff --git a/app/Http/RequestHandlers/EditFactAction.php b/app/Http/RequestHandlers/EditFactAction.php
@@ -114,6 +114,9 @@ public function handle(ServerRequestInterface $request): ResponseInterface
             }
         }
 
-        return redirect($params['url'] ?? $record->url());
+        $base_url = $request->getAttribute('base_url');
+        $url      = str_starts_with($params['url'], $base_url) ? $params['url'] : $record->url();
+
+        return redirect($url);
     }
 }
diff --git a/app/Http/RequestHandlers/EditRawFactAction.php b/app/Http/RequestHandlers/EditRawFactAction.php
@@ -72,6 +72,9 @@ public function handle(ServerRequestInterface $request): ResponseInterface
             }
         }
 
-        return redirect($params['url'] ?? $record->url());
+        $base_url = $request->getAttribute('base_url');
+        $url      = str_starts_with($params['url'], $base_url) ? $params['url'] : $record->url();
+
+        return redirect($url);
     }
 }
diff --git a/app/Http/RequestHandlers/EmptyClipboard.php b/app/Http/RequestHandlers/EmptyClipboard.php
@@ -59,10 +59,11 @@ public function handle(ServerRequestInterface $request): ResponseInterface
     {
         $params = (array) $request->getParsedBody();
 
-        $url = $params['url'] ?? $request->getHeaderLine('Referer');
-
         $this->clipboard_service->emptyClipboard();
 
+        $base_url = $request->getAttribute('base_url');
+        $url      = str_starts_with($params['url'], $base_url) ? $params['url'] : $request->getHeaderLine('Referer');
+
         return redirect($url);
     }
 }
diff --git a/app/Http/RequestHandlers/LoginAction.php b/app/Http/RequestHandlers/LoginAction.php
@@ -82,7 +82,8 @@ public function handle(ServerRequestInterface $request): ResponseInterface
             }
 
             // Redirect to the target URL
-            $url = $url ?: route(HomePage::class);
+            $base_url = $request->getAttribute('base_url');
+            $url      = str_starts_with($url, $base_url) ? $url : route(HomePage::class);
 
             return redirect($url);
         } catch (Exception $ex) {

diff --git a/app/Http/RequestHandlers/MessageAction.php b/app/Http/RequestHandlers/MessageAction.php
@@ -95,7 +95,8 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         if ($this->message_service->deliverMessage($user, $to_user, $subject, $body, $url, $ip)) {
             FlashMessages::addMessage(I18N::translate('The message was successfully sent to %s.', e($to_user->realName())), 'success');
 
-            $url = $url ?: route(TreePage::class, ['tree' => $tree->name()]);
+            $base_url = $request->getAttribute('base_url');
+            $url      = str_starts_with($url, $base_url) ? $url : route(TreePage::class, ['tree' => $tree->name()]);
 
             return redirect($url);
         }