Merge tag '3.0.1' into develop

Fixed an open redirect vulnerability that could be used to construct an URL redirecting to an arbitraty domain
This commit is contained in:
Pierre Rudloff 2022-02-20 13:34:53 +01:00
commit bfaea0e381
3 changed files with 22 additions and 6 deletions

View file

@ -37,6 +37,25 @@ class ViewFactory
->withScheme('https'); ->withScheme('https');
} }
/**
* @param Uri $uri
* @return Uri
*/
private static function cleanBasePath(Uri $uri): Uri
{
$basePath = $uri->getBasePath();
if (str_ends_with($basePath, 'index.php')) {
/*
* When the base path ends with index.php,
* routing works correctly, but it breaks the URL of static assets using {base_url}.
* So we alter the base path but only in the URI used by SmartyPlugins.
*/
$uri = $uri->withBasePath(dirname($basePath));
}
return $uri;
}
/** /**
* Create Smarty view object. * Create Smarty view object.
* *
@ -76,6 +95,8 @@ class ViewFactory
/** @var LocaleManager $localeManager */ /** @var LocaleManager $localeManager */
$localeManager = $container->get('locale'); $localeManager = $container->get('locale');
$uri = self::cleanBasePath($uri);
$smartyPlugins = new SmartyPlugins($container->get('router'), $uri->withUserInfo('')); $smartyPlugins = new SmartyPlugins($container->get('router'), $uri->withUserInfo(''));
$view->registerPlugin('function', 'path_for', [$smartyPlugins, 'pathFor']); $view->registerPlugin('function', 'path_for', [$smartyPlugins, 'pathFor']);
$view->registerPlugin('function', 'base_url', [$smartyPlugins, 'baseUrl']); $view->registerPlugin('function', 'base_url', [$smartyPlugins, 'baseUrl']);

View file

@ -5,11 +5,6 @@ require_once __DIR__ . '/vendor/autoload.php';
use Alltube\App; use Alltube\App;
use Alltube\ErrorHandler; use Alltube\ErrorHandler;
if (isset($_SERVER['REQUEST_URI']) && strpos($_SERVER['REQUEST_URI'], '/index.php') !== false) {
header('Location: ' . str_ireplace('/index.php', '/', $_SERVER['REQUEST_URI']));
die;
}
try { try {
// Create app. // Create app.
$app = new App(); $app = new App();

View file

@ -1,5 +1,5 @@
<h1 class="logobis"> <h1 class="logobis">
<a class="logocompatible" href="{base_url}"> <a class="logocompatible" href="{path_for name="index"}">
<span class="logocompatiblemask"> <span class="logocompatiblemask">
{html_image file='img/logocompatiblemask.png' path_prefix={base_url}|cat:'/' alt=$config->appName} {html_image file='img/logocompatiblemask.png' path_prefix={base_url}|cat:'/' alt=$config->appName}
</span> </span>