makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-28 06:08:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

[bug/56965] Redirect fails with directory traversal

Browse source 
Correct invalid r10536 with a boolean flag.  Note that this fix for the bug will not actually correct the redirects, it will only prevent phpBB from redirecting outside $phpbb_root_path when redirect()'s third argument is not provided.
This commit is contained in:
Josh Woody 2010-03-17 23:24:34 -05:00
parent ac32927566
commit eca2db4afe
1 changed files with 53 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
phpBB/includes/functions.php
View file

@ -2297,6 +2297,8 @@ function redirect($url, $return = false, $disable_cd_check = false)
{ {
global $db, $cache, $config, $user, $phpbb_root_path; global $db, $cache, $config, $user, $phpbb_root_path;
$failover_flag = false;
if (empty($user->lang)) if (empty($user->lang))
{ {
$user->add_lang('common'); $user->add_lang('common');
@ -2344,11 +2346,14 @@ function redirect($url, $return = false, $disable_cd_check = false)
if (!file_exists($pathinfo['dirname'])) if (!file_exists($pathinfo['dirname']))
{ {
// fallback to "last known user page" // fallback to "last known user page"
// at least this way we know the user does not leave the phpBB root
$url = generate_board_url() . '/' . $user->page['page']; $url = generate_board_url() . '/' . $user->page['page'];
break; $failover_flag = true;
} }
} }
if (!$failover_flag)
{
// Is the uri pointing to the current directory? // Is the uri pointing to the current directory?
if ($pathinfo['dirname'] == '.') if ($pathinfo['dirname'] == '.')
{ {
@ -2405,6 +2410,7 @@ function redirect($url, $return = false, $disable_cd_check = false)
$url = generate_board_url() . '/' . $url; $url = generate_board_url() . '/' . $url;
} }
} }
}
// Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2 // Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2
if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false) if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false)