0001-SECURITY-Don-t-redirect-to-external-sites-after-logi.patch
Tgr (Gergő Tisza)
Actions

Authored By

	Tgr
	Jun 10 2016, 4:45 PM

Size

1 KB

Referenced Files

None

Subscribers

None

0001-SECURITY-Don-t-redirect-to-external-sites-after-logi.patch
View Options

	From bad7a9f4cbb23dd4abb54c963fef23589acc2d60 Mon Sep 17 00:00:00 2001
	From: =?UTF-8?q?Gerg=C5=91=20Tisza?= <gtisza@wikimedia.org>
	Date: Fri, 10 Jun 2016 16:40:11 +0000
	Subject: [PATCH] [SECURITY] Don't redirect to external sites after login
	(AuthManager version)

	The returnto URL parameter accepts interwiki prefixes, even non-local ones.
	I953f99b446 has a partial fix; this applies it to AuthManager.

	Bug: T109140
	Change-Id: I7e02a9f587863630724c8ff9d61610ecd0717b3c
	---
	includes/specials/helpers/LoginHelper.php \| 7 ++++++-
	1 file changed, 6 insertions(+), 1 deletion(-)

	diff --git a/includes/specials/helpers/LoginHelper.php b/includes/specials/helpers/LoginHelper.php
	index f853f41..2196bd9 100644
	--- a/includes/specials/helpers/LoginHelper.php
	+++ b/includes/specials/helpers/LoginHelper.php
	@@ -75,7 +75,12 @@ class LoginHelper extends ContextSource {
	// Allow modification of redirect behavior
	Hooks::run( 'PostLoginRedirect', [ &$returnTo, &$returnToQuery, &$type ] );

	- $returnToTitle = Title::newFromText( $returnTo ) ?: Title::newMainPage();
	+ $returnToTitle = Title::newFromText( $returnTo );
	+ // T109140: Don't redirect to external sites since MediaWiki will
	+ // never generate a URL like that
	+ if ( !$returnToTitle \|\| $returnToTitle->isExternal() ) {
	+ $returnToTitle = Title::newMainPage();
	+ }

	if ( $wgSecureLogin && !$stickHTTPS ) {
	$options = [ 'http' ];
	--
	1.9.1

Mime Type: text/x-diff
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 3789382
Default Alt Text: 0001-SECURITY-Don-t-redirect-to-external-sites-after-logi.patch (1 KB)