From ff567e04e5886923371ed4ac5d43061fcbb03a38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans-J=C3=BCrgen=20Tappe?= Date: Tue, 13 Apr 2010 19:27:54 +0000 Subject: [PATCH] From tracker 2276: Restrict redirect.php to allow requests only from within eGroupware. HTTP_REFERER is checked against the egroupware path. A valid session is now required. --- redirect.php | 69 +++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 58 insertions(+), 11 deletions(-) diff --git a/redirect.php b/redirect.php index 13a72803d0..b4db6c7f0b 100644 --- a/redirect.php +++ b/redirect.php @@ -10,15 +10,15 @@ * Free Software Foundation; either version 2 of the License, or (at your * * option) any later version. * \**************************************************************************/ - + /* $Id$ */ /* Use this script when you want to link to a external url. This way you don't send something like sessionid as referer - + Use this in your app: - + "' */ @@ -32,17 +32,64 @@ } } - if($_GET['go']) - { - $url= html_entity_decode(urldecode($_GET['go'])); - unset($_GET['go']); - if (!empty($_GET)) $url=$url."&".http_build_query($_GET); + /* Only allow redirects with a valid session */ + $GLOBALS['egw_info'] = array( + 'flags' => array( + 'noheader' => True, + 'nonavbar' => True, + 'currentapp' => 'home' + ) + ); + include('./header.inc.php'); - Header('Location: ' . html_entity_decode(urldecode($url))); - exit; + + /* Only allow redirects from inside this eGroupware installation. */ + $valid_referer = array(); + $path = preg_replace('/\/[^\/]*$/','',$_SERVER['PHP_SELF']) . '/'; + array_push($valid_referer, $path); + array_push($valid_referer, ($_SERVER['HTTPS'] ? 'https://' : 'http://') . $_SERVER['SERVER_ADDR'] . $path); + array_push($valid_referer, ($_SERVER['HTTPS'] ? 'https://' : 'http://') . $_SERVER['SERVER_NAME'] . $path); + + $referrer = trim($_SERVER['HTTP_REFERER']); + if ((!isset($_SERVER['HTTP_REFERER'])) || (empty($referrer))) + { + echo "Only usable from within eGroupware.\n"; + } + else if($_GET['go']) + { + $allow = false; + foreach ($valid_referer as $urlRoot) + { + /* Check if the referrer begins with a valid URL. */ + if (strncmp($urlRoot, $referrer, strlen($urlRoot)) == 0) + { + $allow = true; + break; + } + } + if ($allow) + { + $url= html_entity_decode(urldecode($_GET['go'])); + unset($_GET['go']); + /* Only add "&" if there is something to append. */ + if (!empty($_GET)) + { + $url=$url."&".http_build_query($_GET); + } + + Header('Location: ' . html_entity_decode(urldecode($url))); + exit; + } + else + { + echo "Redirect not allowed for referrer '".$_SERVER['HTTP_REFERER']."'.\n"; + echo "
";
+			print_r($valid_referer);
+			echo "
\n";
+		}
 	}
 	else
 	{
-		echo "this won't work!!";
+		echo "Error redirecting.";
 	}
 ?>