Skip to content
Snippets Groups Projects
Unverified Commit 5f074e97 authored by Jaime Pérez Crespo's avatar Jaime Pérez Crespo
Browse files

bugfix: Make sure no JS code can be injected into redirected URLs 

In order to fix this, we first sanitize any URL given to SimpleSAML\Utils\HTTP::checkURLAllowed() so that we make sure we have a true URL without spurious characters. Secondly, we stop using an "onload" event in the body of the redirect page to trigger the redirect automatically. Instead, we use a "meta refresh" redirection.

This double remediation is because there were two issues here: one, we were printing user input inside a chunk of javascript code. The other exploits the fact that the header() function silently breaks when a null character is part of the URL given to a "Location" header. In that case, the HTTP 302 Redirection doesn't happen, and then the browser loads the HTML and goes through it, running the injected javascript.

This fixes #699.
parent af84ac51
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment