Am 19.05.2012 um 00:37 schrieb Michael Gapczynski: > On Saturday, May 19, 2012 12:00:28 AM Georg Ehrke wrote: >> Am 18.05.2012 um 23:09 schrieb Michael Gapczynski: >>> On Friday, May 18, 2012 06:39:01 PM Michiel de Jong wrote: >>>> for me it works if you remove htmlentities() on line 315 of >>>> lib/utils.php. >>>> >>>> To test, log out, then visit /?app=music&a=b >>>> >>>> Current master will make you go to /?app=music&a=b >>> >>> That worked for redirecting to apps, but it didn't work for redirecting to >>> any of the settings pages that don't load off of index.php. That's why >>> the login page also needs to look at $_REQUEST['redirect_url']. It's actually working for me. Open Redirect is also denied. >>> >>> Redirects should be working and open redirects should be prevented in >>> master. >> Would it be enough to deny redirect_urls, which match a http(s) url pattern? > > I thought about that, but wouldn't that mean you'd also have to check for > .com, .net, .org, etc. ?
Just: if(preg_match('|^http(s)?://[a-z0-9-]+(.[a-z0-9-]+)*(:[0-9]+)?(/.*)?$|i', $_GET['redirect)){ //deny } >>> Michael >>> >>>> On Fri, May 18, 2012 at 6:32 PM, Michael Gapczynski <mt...@owncloud.com> >>> >>> wrote: >>>>> It seems that the redirect isn't working with or without sanitizing the >>>>> redirect_url. I'm still trying to figure out what is going on with this. >>>>> >>>>> I know the tar-file is being generated today, but is there a specific >>>>> time? >>>>> >>>>> >>>>> Michael >>>>> >>>>> On Friday, May 18, 2012 03:42:24 PM Frank Karlitschek wrote: >>>>>> Thanks :-) >>>>>> >>>>>> On 18.05.2012, at 15:41, Michiel de Jong <mich...@unhosted.org> wrote: >>>>>>> ok, i put it back. >>>>>>> >>>>>>> this still needs to be fixed properly though. >>>>>>> >>>>>>> On Fri, May 18, 2012 at 3:36 PM, Frank Karlitschek >>>>>>> <fr...@owncloud.org> >>>>> >>>>> wrote: >>>>>>>> Attackers can do evil stuff if you don't filer header entries. >>>>>>>> This code was introduced as part of a security fix a few weeks ago. >>>>>>>> >>>>>>>> On 18.05.2012, at 15:20, Michiel de Jong <mich...@unhosted.org> > wrote: >>>>>>>>> how? it's a header() call. >>>>>>>>> >>>>>>>>> ah i just found MTGap on irc. thanks! >>>>>>>>> >>>>>>>>> On Fri, May 18, 2012 at 3:18 PM, Frank Karlitschek >>>>>>>>> <fr...@owncloud.org> >>>>> >>>>> wrote: >>>>>>>>>> On 18.05.2012, at 15:16, Michiel de Jong <mich...@unhosted.org> >>> >>> wrote: >>>>>>>>>>> Hi! >>>>>>>>>>> >>>>>>>>>>> Since the new routing, if the user is made to log in, we were >>>>>>>>>>> always >>>>>>>>>>> sending her to the 'files' app, not to the page where she actually >>>>>>>>>>> wanted to go. There was also htmlentities() in the redirect header >>>>>>>>>>> which made no sense IMO. >>>>>>>>>>> >>>>>>>>>>> As this is quite important code, i was waiting for someone in >>>>>>>>>>> owncloud-dev to look at it together, but in the end i just >>>>>>>>>>> committed >>>>>>>>>>> this: >>>>>>>>>>> >>>>>>>>>>> http://gitorious.org/owncloud/owncloud/commit/ea33b4aaa104252ff344 >>>>>>>>>>> e >>>>>>>>>>> 93a >>>>>>>>>>> 434e6c2eedcf438b/diffs/9b5e8a2c634e07d9c6e1693158e224eda7e5f673>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> This introduces a XSS bug. >>>>>>>>>> Please revert >>>>>>>>>> >>>>>>>>>>> So maybe Georg or someone else should check if this is what was >>>>>>>>>>> intended. At least it was broken before, and this commit fixes it. >>>>>>>>>>> Have a nice release! tomorrow, right? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> cheers, >>>>>>>>>>> Michiel >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Owncloud mailing list >>>>>>>>>>> Owncloud@kde.org >>>>>>>>>>> https://mail.kde.org/mailman/listinfo/owncloud >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Owncloud mailing list >>>>>>>>> Owncloud@kde.org >>>>>>>>> https://mail.kde.org/mailman/listinfo/owncloud >>>>>> >>>>>> _______________________________________________ >>>>>> Owncloud mailing list >>>>>> Owncloud@kde.org >>>>>> https://mail.kde.org/mailman/listinfo/owncloud >>> >>> _______________________________________________ >>> Owncloud mailing list >>> Owncloud@kde.org >>> https://mail.kde.org/mailman/listinfo/owncloud _______________________________________________ Owncloud mailing list Owncloud@kde.org https://mail.kde.org/mailman/listinfo/owncloud