[fix] CVE-2018-11347 http header injection

This commit is contained in:
Laurent Peuch 2018-12-06 23:21:13 +01:00
parent 61035e3c27
commit 253cde4b9a

View file

@ -910,6 +910,14 @@ function login()
-- Forward the `r` URI argument if it exists to redirect -- Forward the `r` URI argument if it exists to redirect
-- the user properly after a successful login. -- the user properly after a successful login.
if uri_args.r then if uri_args.r then
-- If `uri_args.r` contains line break, someone is probably trying to
-- pass some additional headers
if string.match(uri_args.r, "(.*)\n") then
flash("fail", t("redirection_error_invalid_url"))
ngx.log(ngx.ERR, "Redirection url is invalid")
return redirect(conf.portal_url)
end
return redirect(conf.portal_url.."?r="..uri_args.r) return redirect(conf.portal_url.."?r="..uri_args.r)
else else
return redirect(conf.portal_url) return redirect(conf.portal_url)