Merge tag '3.0.1' into develop
Fixed an open redirect vulnerability that could be used to construct an URL redirecting to an arbitraty domain
This commit is contained in:
commit
bfaea0e381
3 changed files with 22 additions and 6 deletions
|
@ -37,6 +37,25 @@ class ViewFactory
|
||||||
->withScheme('https');
|
->withScheme('https');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param Uri $uri
|
||||||
|
* @return Uri
|
||||||
|
*/
|
||||||
|
private static function cleanBasePath(Uri $uri): Uri
|
||||||
|
{
|
||||||
|
$basePath = $uri->getBasePath();
|
||||||
|
if (str_ends_with($basePath, 'index.php')) {
|
||||||
|
/*
|
||||||
|
* When the base path ends with index.php,
|
||||||
|
* routing works correctly, but it breaks the URL of static assets using {base_url}.
|
||||||
|
* So we alter the base path but only in the URI used by SmartyPlugins.
|
||||||
|
*/
|
||||||
|
$uri = $uri->withBasePath(dirname($basePath));
|
||||||
|
}
|
||||||
|
|
||||||
|
return $uri;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Create Smarty view object.
|
* Create Smarty view object.
|
||||||
*
|
*
|
||||||
|
@ -76,6 +95,8 @@ class ViewFactory
|
||||||
/** @var LocaleManager $localeManager */
|
/** @var LocaleManager $localeManager */
|
||||||
$localeManager = $container->get('locale');
|
$localeManager = $container->get('locale');
|
||||||
|
|
||||||
|
$uri = self::cleanBasePath($uri);
|
||||||
|
|
||||||
$smartyPlugins = new SmartyPlugins($container->get('router'), $uri->withUserInfo(''));
|
$smartyPlugins = new SmartyPlugins($container->get('router'), $uri->withUserInfo(''));
|
||||||
$view->registerPlugin('function', 'path_for', [$smartyPlugins, 'pathFor']);
|
$view->registerPlugin('function', 'path_for', [$smartyPlugins, 'pathFor']);
|
||||||
$view->registerPlugin('function', 'base_url', [$smartyPlugins, 'baseUrl']);
|
$view->registerPlugin('function', 'base_url', [$smartyPlugins, 'baseUrl']);
|
||||||
|
|
|
@ -5,11 +5,6 @@ require_once __DIR__ . '/vendor/autoload.php';
|
||||||
use Alltube\App;
|
use Alltube\App;
|
||||||
use Alltube\ErrorHandler;
|
use Alltube\ErrorHandler;
|
||||||
|
|
||||||
if (isset($_SERVER['REQUEST_URI']) && strpos($_SERVER['REQUEST_URI'], '/index.php') !== false) {
|
|
||||||
header('Location: ' . str_ireplace('/index.php', '/', $_SERVER['REQUEST_URI']));
|
|
||||||
die;
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
try {
|
||||||
// Create app.
|
// Create app.
|
||||||
$app = new App();
|
$app = new App();
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
<h1 class="logobis">
|
<h1 class="logobis">
|
||||||
<a class="logocompatible" href="{base_url}">
|
<a class="logocompatible" href="{path_for name="index"}">
|
||||||
<span class="logocompatiblemask">
|
<span class="logocompatiblemask">
|
||||||
{html_image file='img/logocompatiblemask.png' path_prefix={base_url}|cat:'/' alt=$config->appName}
|
{html_image file='img/logocompatiblemask.png' path_prefix={base_url}|cat:'/' alt=$config->appName}
|
||||||
</span>
|
</span>
|
||||||
|
|
Loading…
Reference in a new issue