mirror of
https://framagit.org/hubzilla/core.git
synced 2026-06-21 00:52:33 -04:00
b3ca31bce7
Don't follow urls to external sites when submitting forms from the settings modules. This mitigates an Open Redirect vulnerability where an attacker could trick a user to go to an attacker controlled destination. Fixes part of https://framagit.org/hubzilla/core/-/issues/1666
49 lines
1.1 KiB
PHP
49 lines
1.1 KiB
PHP
<?php
|
|
|
|
namespace Zotlabs\Module\Settings;
|
|
|
|
use Zotlabs\Lib\Libsync;
|
|
|
|
class Editor {
|
|
|
|
function post() {
|
|
|
|
$module = substr(strrchr(strtolower(static::class), '\\'), 1);
|
|
|
|
check_form_security_token_redirectOnErr('/settings/' . $module, 'settings_' . $module);
|
|
|
|
$features = get_module_features($module);
|
|
|
|
process_module_features_post(local_channel(), $features, $_POST);
|
|
|
|
Libsync::build_sync_packet();
|
|
|
|
if(isset($_POST['rpath']) && is_local_url($_POST['rpath']))
|
|
goaway($_POST['rpath']);
|
|
|
|
return;
|
|
}
|
|
|
|
function get() {
|
|
|
|
$module = substr(strrchr(strtolower(static::class), '\\'), 1);
|
|
|
|
$features = get_module_features($module);
|
|
$rpath = (($_GET['rpath']) ? $_GET['rpath'] : '');
|
|
|
|
$tpl = get_markup_template("settings_module.tpl");
|
|
|
|
$o .= replace_macros($tpl, array(
|
|
'$rpath' => escape_url($rpath),
|
|
'$action_url' => 'settings/' . $module,
|
|
'$form_security_token' => get_form_security_token('settings_' . $module),
|
|
'$title' => t('Editor Settings'),
|
|
'$features' => process_module_features_get(local_channel(), $features),
|
|
'$submit' => t('Submit')
|
|
));
|
|
|
|
return $o;
|
|
}
|
|
|
|
}
|