#3747 closed Defect (fixed)
forward() allows for only http/https URLs
| Reported by: | jricher | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Elgg 1.8.1 |
| Component: | Core | Version: | 1.7 |
| Severity: | minor | Keywords: | redirect, forward, location, http |
| Cc: | brett@… | Difficulty: |
Description
The core function forward() prepends the site root to any inputs that don't start with http: or https:
While the intent of this is clear (give an unambiguous redirection for relative URLs), this falls apart when trying to redirect to a valid, absolute, and non-http URL. Examples of this usage include doing application level callbacks on a mobile device (app://parameter) or directing an action to content on an external non-http server, such as FTP.
The easiest fix for 1.7 would be to add an optional flag to the forward() call which would bypass the http:// check when set. A deeper fix would be to gut the forward() function's check and replace it with better filter logic.
Change History (3)
comment:1 Changed 21 months ago by brettp
- Milestone changed from Needs Review to Elgg 1.8.1
comment:2 Changed 20 months ago by Brett Profitt
- Resolution set to fixed
- Status changed from new to closed
Fixes #3747. Using filter_var to check for any valid URI.
Changeset: ef119763b51119a10851a7a3fb1258c7116a96c0
comment:3 Changed 19 months ago by Brett Profitt
Fixes #3747. Using filter_var to check for any valid URI.
Changeset: ef119763b51119a10851a7a3fb1258c7116a96c0
Fix filter logic.