Ensured that the returnto GET parameter leads you only to another p…

…lace on your Pepperminty Wiki instance (thanks, @JamieSlome)
sbrl · Sep 21, 2021 · f59e681 · f59e681
1 parent 4be6a18
commit f59e681
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -6,6 +6,7 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
 
 ### Fixed
  - [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome)
+ - [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome)
 
 
 ## v0.23

diff --git a/modules/page-login.php b/modules/page-login.php
@@ -152,6 +152,14 @@
 			$_SESSION["$settings->sessionprefix-pass"] = $new_password_hash ?? hash_password($pass);
 			$_SESSION["$settings->sessionprefix-expiretime"] = time() + 60*60*24*30; // 30 days from now
 
+			$returnto_redirect = $_GET["returnto"];
+			if(strpos($returnto_redirect, "?") === false) {
+				http_response_code(400);
+				exit(page_renderer::render_main("Login error - $settings->sitename", "<p>Your credentials were correct, but the 'returnto' URL specified (in the <code>returnto</code> GET parameter) did not contain a question mark. To protect you from being redirected to another site, $settings->sitename only allows redirects that do not leave $settings->sitename.</p>"));
+			}
+			// Ensure that this redirect takes to only somewhere else in this site
+			$returnto_redirect = substr($returnto_redirect, strpos($returnto_redirect, "?"));
+
 			// Redirect to wherever the user was going
 			http_response_code(302);
 			header("x-login-success: yes");