Skip to content
Snippets Groups Projects
Unverified Commit 5f074e97 authored by Jaime Pérez Crespo's avatar Jaime Pérez Crespo
Browse files

bugfix: Make sure no JS code can be injected into redirected URLs

In order to fix this, we first sanitize any URL given to SimpleSAML\Utils\HTTP::checkURLAllowed() so that we make sure we have a true URL without spurious characters. Secondly, we stop using an "onload" event in the body of the redirect page to trigger the redirect automatically. Instead, we use a "meta refresh" redirection.

This double remediation is because there were two issues here: one, we were printing user input inside a chunk of javascript code. The other exploits the fact that the header() function silently breaks when a null character is part of the URL given to a "Location" header. In that case, the HTTP 302 Redirection doesn't happen, and then the browser loads the HTML and goes through it, running the injected javascript.

This fixes #699.
parent af84ac51
No related branches found
No related tags found
No related merge requests found
......@@ -186,9 +186,10 @@ class HTTP
echo '<html xmlns="http://www.w3.org/1999/xhtml">'."\n";
echo " <head>\n";
echo ' <meta http-equiv="content-type" content="text/html; charset=utf-8">'."\n";
echo ' <meta http-equiv="refresh" content="0;URL=\''.htmlspecialchars($url).'\'">'."\n";
echo " <title>Redirect</title>\n";
echo " </head>\n";
echo " <body onload=\"window.location.replace('".htmlspecialchars($url)."');\">\n";
echo " <body>\n";
echo " <h1>Redirect</h1>\n";
echo ' <p>You were redirected to: <a id="redirlink" href="'.htmlspecialchars($url).'">';
echo htmlspecialchars($url)."</a>\n";
......@@ -325,6 +326,10 @@ class HTTP
}
$url = self::normalizeURL($url);
if (filter_var($url, FILTER_VALIDATE_URL) === false) {
throw new \SimpleSAML_Error_Exception('Invalid URL: '.$url);
}
// get the white list of domains
if ($trustedSites === null) {
$trustedSites = \SimpleSAML_Configuration::getInstance()->getValue('trusted.url.domains', array());
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment