Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix redirect to external website. Bad sanitizing of backtopage parameter

Browse Source
This commit is contained in:
Laurent Destailleur
2021-03-14 11:38:42 +01:00
parent bcfe711544
commit 0a542ad9f9
2 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/lib/functions.lib.php
View File

@@ -613,7 +613,7 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null
// Sanitizing for special parameters. There is no reason to allow the backtopage parameter to contains an external URL.
if ($paramname == 'backtopage') {
$out = str_replace('\\', '/', $out);
$out = preg_replace(array('/^:*\/\/+/', '/^[a-z]*:+/i'), '', $out);
$out = preg_replace(array('/^[a-z:]*\/\/+/i'), '', $out);
}
// Code for search criteria persistence.