diff --git a/phpgwapi/ntlm/index.php b/phpgwapi/ntlm/index.php index 8049a373a2..32d0481f82 100644 --- a/phpgwapi/ntlm/index.php +++ b/phpgwapi/ntlm/index.php @@ -7,10 +7,35 @@ * @package api * @subpackage authentication * @author Ralf Becker - * @copyright (c) 2008 by Ralf Becker + * @copyright (c) 2008-2011 by Ralf Becker * @version $Id$ */ +/** + * Check if given domain is either whitelisted, the current one or the EGroupware one + * + * Used to NOT redirect to arbitrary urls. + * + * @param string $url full url or just path, later is always allowed, as it stays within the domain + * @return boolean + */ +function check_domain($url) +{ + $whitelisted = array( + $_SERVER['HTTP_HOST'], // can contain :port + // add additional domains-names (just full qualified hostnames) here + + ); + if ($GLOBALS['egw_info']['server']['webserver_url'][0] === 'h') + { + $whitelisted[] = parse_url($GLOBALS['egw_info']['server']['webserver_url'], PHP_URL_HOST); + } + $parts = parse_url($url); + $host = $parts['host'].($parts['port'] ? ':'.$parts['port'] : ''); + + return $url[0] == '/' || in_array($host, $whitelisted); +} + /** * check if the given user has access * @@ -22,7 +47,7 @@ function check_access(&$account) { //error_log("AUTH_TYPE={$_SERVER['AUTH_TYPE']}, REMOTE_USER={$_SERVER['REMOTE_USER']}, HTTP_USER_AGENT={$_SERVER['HTTP_USER_AGENT']}, http_auth_types={$GLOBALS['egw_info']['server']['http_auth_types']}"); - + if (isset($_SERVER['REMOTE_USER']) && $_SERVER['REMOTE_USER'] && isset($_SERVER['AUTH_TYPE']) && isset($GLOBALS['egw_info']['server']['http_auth_types']) && $GLOBALS['egw_info']['server']['http_auth_types'] && in_array(strtoupper($_SERVER['AUTH_TYPE']),explode(',',strtoupper($GLOBALS['egw_info']['server']['http_auth_types'])))) @@ -36,7 +61,7 @@ function check_access(&$account) } if (!$sessionid) { - if (isset($_GET['forward'])) + if (isset($_GET['forward']) && check_domain($_GET['forward'])) { header('Location: '.$_GET['forward']); } @@ -57,7 +82,7 @@ $GLOBALS['egw_info']['flags'] = array( // if you move this file somewhere else, you need to adapt the path to the header! include(dirname(__FILE__).'/../../header.inc.php'); -if (isset($_GET['forward'])) +if (isset($_GET['forward']) && check_domain($_GET['forward'])) { $forward = $_GET['forward']; $GLOBALS['egw']->session->appsession('referer', 'login', $forward);