Commit 8a27a7dd authored by webchick's avatar webchick

#733028 by cha0s, agentrickard: Fixed SA-CORE-2010-001 - Open redirection.

parent 65ae6eb0
......@@ -659,7 +659,8 @@ function drupal_encode_path($path) {
*/
function drupal_goto($path = '', array $options = array(), $http_response_code = 302) {
// A destination in $_GET always overrides the function arguments.
if (isset($_GET['destination'])) {
// We do not allow absolute URLs to be passed via $_GET, as this can be an attack vector.
if (isset($_GET['destination']) && !url_is_external($_GET['destination'])) {
$destination = drupal_parse_url($_GET['destination']);
$path = $destination['path'];
$options['query'] = $destination['query'];
......
......@@ -196,8 +196,13 @@ class CommonURLUnitTest extends DrupalWebTestCase {
);
$this->assertEqual(drupal_parse_url($url), $result, t('Absolute URL parsed correctly.'));
// External URL.
// External URL testing.
$url = 'http://drupal.org/foo/bar?foo=bar&bar=baz&baz#foo';
// Test that drupal can recognize an absolute URL. Used to prevent attack vectors.
$this->assertTrue(url_is_external($url), t('Correctly identified an external URL.'));
// Test the parsing of absolute URLs.
$result = array(
'path' => 'http://drupal.org/foo/bar',
'query' => array('foo' => 'bar', 'bar' => 'baz', 'baz' => ''),
......@@ -222,6 +227,10 @@ class CommonURLUnitTest extends DrupalWebTestCase {
// Non-clean URLs #3: URL generated by url() on non-Apache webserver.
$url = 'index.php?q=foo/bar&bar=baz#foo';
$this->assertEqual(drupal_parse_url($url), $result, t('Relative URL on non-Apache webserver with clean URLs disabled parsed correctly.'));
// Test that drupal_parse_url() does not allow spoofing a URL to force a malicious redirect.
$parts = drupal_parse_url('forged:http://cwe.mitre.org/data/definitions/601.html');
$this->assertFalse(valid_url($parts['path'], TRUE), t('drupal_parse_url() correctly parsed a forged URL.'));
}
/**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment