diff options
| author | Stefan Giehl <stefan@matomo.org> | 2022-11-01 01:57:56 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-11-01 01:57:56 +0300 |
| commit | 16a601f40491b548c4b02c5e664cb26c09e3306a (patch) | |
| tree | 1baffc21194fd6f149ce57eafcfaaa3533a91248 | |
| parent | e4f9a638e600ada201739f17319512a32a3120a0 (diff) | |
Harden check for valid redirect urls in logme method (#19917)
| -rw-r--r-- | plugins/Login/Controller.php | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/plugins/Login/Controller.php b/plugins/Login/Controller.php index 7f114158aa..c7c3bf9468 100644 --- a/plugins/Login/Controller.php +++ b/plugins/Login/Controller.php @@ -333,6 +333,12 @@ class Controller extends \Piwik\Plugin\ControllerAdmin $parsedUrl = parse_url($urlToRedirect); + if (!empty($urlToRedirect) && false === $parsedUrl) { + $e = new \Piwik\Exception\Exception('The redirect URL is not valid.'); + $e->setIsHtmlMessage(); + throw $e; + } + // only use redirect url if host is trusted if (!empty($parsedUrl['host']) && !Url::isValidHost($parsedUrl['host'])) { $e = new \Piwik\Exception\Exception('The redirect URL host is not valid, it is not a trusted host. If this URL is trusted, you can allow this in your config.ini.php file by adding the line <i>trusted_hosts[] = "' . Common::sanitizeInputValue($parsedUrl['host']) . '"</i> under <i>[General]</i>'); |