Cross-site Scripting (XSS) when redirect an url

Fasse · Fasse · commit 470f534768f4 · 2021-12-06T18:25:29.000+01:00
diff --git a/adm_program/system/bootstrap/function.php b/adm_program/system/bootstrap/function.php
@@ -301,7 +301,7 @@ function admFuncProcessableImageSize()
  * @param array<string,mixed> $array        The array with the element that should be checked
  * @param string              $variableName Name of the array element that should be checked
  * @param string              $datatype     The datatype like **string**, **numeric**, **int**, **float**, **bool**, **boolean**, **html**,
- *                                          **date**, **file** or **folder** that is expected and which will be checked.
+ *                                          **url**, **date**, **file** or **folder** that is expected and which will be checked.
  *                                          Datatype **date** expects a date that has the Admidio default format from the
  *                                          preferences or the english date format **Y-m-d**
  * @param array<string,mixed> $options      (optional) An array with the following possible entries:
@@ -387,7 +387,8 @@ function admFuncVariableIsValid(array $array, $variableName, $datatype, array $o
 
     switch ($datatype)
     {
-        case 'file':
+        case 'file': // fallthrough
+        case 'folder':
             try
             {
                 if ($value !== '')
@@ -461,6 +462,12 @@ function admFuncVariableIsValid(array $array, $variableName, $datatype, array $o
             // check html string vor invalid tags and scripts
             $value = Htmlawed::filter(stripslashes($value), array('safe' => 1));
             break;
+
+        case 'url':
+            if (!StringUtils::strValidCharacters($value, 'url')) {
+                $errorMessage = $gL10n->get('SYS_INVALID_PAGE_VIEW');
+            }
+            break;
     }
 
     // wurde kein Fehler entdeckt, dann den Inhalt der Variablen zurueckgeben
diff --git a/adm_program/system/classes/StringUtils.php b/adm_program/system/classes/StringUtils.php
@@ -182,7 +182,8 @@ public static function strValidCharacters($string, $checkType)
                 $validRegex = '=^[^/?*;:~<>|\"\\\\]+$=';
                 break;
             case 'url':
-                $validRegex = '/^[\wáàâåäæçéèêîñóòôöõøœúùûüß$&!?() \/%=#:~.@+-]+$/i';
+                //$validRegex = '/^[\wáàâåäæçéèêîñóòôöõøœúùûüß$&!?() \/%=#:~.@+-]+$/i';
+                $validRegex = '/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i';
                 break;
             case 'phone':
                 $validRegex = '/^[\d() \/+-]+$/i';
diff --git a/adm_program/system/redirect.php b/adm_program/system/redirect.php
@@ -19,7 +19,7 @@
 require_once(__DIR__ . '/common.php');
 
 // Initialize and check the parameters
-$getUrl = admFuncVariableIsValid($_GET, 'url', 'string', array('requireValue' => true));
+$getUrl = admFuncVariableIsValid($_GET, 'url', 'url', array('requireValue' => true));
 
 if (filter_var($getUrl, FILTER_VALIDATE_URL) === false)
 {

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@`
`19`	`19`	`require_once(__DIR__ . '/common.php');`
`20`	`20`
`21`	`21`	`// Initialize and check the parameters`
`22`		`-$getUrl = admFuncVariableIsValid($_GET, 'url', 'string', array('requireValue' => true));`
	`22`	`+$getUrl = admFuncVariableIsValid($_GET, 'url', 'url', array('requireValue' => true));`
`23`	`23`
`24`	`24`	`if (filter_var($getUrl, FILTER_VALIDATE_URL) === false)`
`25`	`25`	`{`