Jakach/jakach-login
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixing potentiall xss in external domains list
Deploy / deploy (push) Successful in 28s
Details

Browse Source
This commit is contained in:
janis steiner
2026-05-15 10:13:23 +02:00
parent eb3ffed163
commit 37cf88a06e
4 changed files with 85 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app-code/api/utils/security.php
+25 -3
View File
@@ -282,6 +282,10 @@ function normalize_redirect_target(?string $target): string
return '/account/';
}
if (normalize_redirect_host($parts['host']) === null) {
return '/account/';
}
return $target;
}
@@ -310,12 +314,11 @@ function is_external_domain(string $url): ?string
return null;
}
$host = parse_url($url, PHP_URL_HOST);
if ($host === null || $host === '') {
$host = normalize_redirect_host((string) parse_url($url, PHP_URL_HOST));
if ($host === null) {
return null;
}
$host = strtolower($host);
if ($host === 'auth.jakach.ch' || str_ends_with($host, '.jakach.ch')) {
return null;
}
@@ -323,4 +326,23 @@ function is_external_domain(string $url): ?string
return $host;
}
function normalize_redirect_host(string $host): ?string
{
$host = rtrim(strtolower(trim($host)), '.');
if ($host === '' || strlen($host) > 253 || preg_match('/[\x00-\x20\x7f<>"\'`]/', $host)) {
return null;
}
if (filter_var($host, FILTER_VALIDATE_IP)) {
return $host;
}
if (!filter_var($host, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME)) {
return null;
}
return $host;
}
?>