From f59e68127cb4147e49f9453e1f657cc24972fda5 Mon Sep 17 00:00:00 2001 From: Starbeamrainbowlabs Date: Tue, 21 Sep 2021 13:40:12 +0100 Subject: [PATCH] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome) --- Changelog.md | 1 + modules/page-login.php | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/Changelog.md b/Changelog.md index 056ee6e..8c52f23 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,7 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t ### Fixed - [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome) + - [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome) ## v0.23 diff --git a/modules/page-login.php b/modules/page-login.php index b615d90..de4e927 100644 --- a/modules/page-login.php +++ b/modules/page-login.php @@ -152,6 +152,14 @@ $_SESSION["$settings->sessionprefix-pass"] = $new_password_hash ?? hash_password($pass); $_SESSION["$settings->sessionprefix-expiretime"] = time() + 60*60*24*30; // 30 days from now + $returnto_redirect = $_GET["returnto"]; + if(strpos($returnto_redirect, "?") === false) { + http_response_code(400); + exit(page_renderer::render_main("Login error - $settings->sitename", "

Your credentials were correct, but the 'returnto' URL specified (in the returnto GET parameter) did not contain a question mark. To protect you from being redirected to another site, $settings->sitename only allows redirects that do not leave $settings->sitename.

")); + } + // Ensure that this redirect takes to only somewhere else in this site + $returnto_redirect = substr($returnto_redirect, strpos($returnto_redirect, "?")); + // Redirect to wherever the user was going http_response_code(302); header("x-login-success: yes");