Mercurial > hg > isophonics-drupal-site

diff core/lib/Drupal/Core/Security/RequestSanitizer.php @ 17:129ea1e6d783

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Update, including to Drupal core 8.6.10
author Chris Cannam
date Thu, 28 Feb 2019 13:21:36 +0000
parents c2387f117808
children
line wrap: on
line diff
--- a/core/lib/Drupal/Core/Security/RequestSanitizer.php	Tue Jul 10 15:07:59 2018 +0100
+++ b/core/lib/Drupal/Core/Security/RequestSanitizer.php	Thu Feb 28 13:21:36 2019 +0000
@@ -90,7 +90,8 @@
     }
 
     if ($bag->has('destination')) {
-      $destination_dangerous_keys = static::checkDestination($bag->get('destination'), $whitelist);
+      $destination = $bag->get('destination');
+      $destination_dangerous_keys = static::checkDestination($destination, $whitelist);
       if (!empty($destination_dangerous_keys)) {
         // The destination is removed rather than sanitized because the URL
         // generator service is not available and this method is called very
@@ -101,6 +102,16 @@
           trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it contained the following keys: %s', $bag_name, implode(', ', $destination_dangerous_keys)));
         }
       }
+      // Sanitize the destination parameter (which is often used for redirects)
+      // to prevent open redirect attacks leading to other domains.
+      if (UrlHelper::isExternal($destination)) {
+        // The destination is removed because it is an external URL.
+        $bag->remove('destination');
+        $sanitized = TRUE;
+        if ($log_sanitized_keys) {
+          trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it points to an external URL.', $bag_name));
+        }
+      }
     }
     return $sanitized;
   }