Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Protect backtourl from using external urls

Browse Source
This commit is contained in:
Laurent Destailleur
2021-03-28 21:39:18 +02:00
parent a5d84200dc
commit 2a431d4951
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/core/lib/functions.lib.php
View File

@@ -634,8 +634,8 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null
$out = checkVal($out, $check, $filter, $options);
}
// Sanitizing for special parameters. There is no reason to allow the backtopage parameter to contains an external URL.
if ($paramname == 'backtopage' || $paramname == 'backtolist') {
// Sanitizing for special parameters. There is no reason to allow the backtopage, backtolist or backtourl parameter to contains an external URL.
if ($paramname == 'backtopage' || $paramname == 'backtolist' || $paramname == 'backtourl') {
$out = str_replace('\\', '/', $out);
$out = str_replace(array(':', ';', '@'), '', $out);