diff options
author | David Rothstein <drothstein@gmail.com> | 2015-03-18 15:23:16 -0400 |
---|---|---|
committer | David Rothstein <drothstein@gmail.com> | 2015-03-18 15:23:16 -0400 |
commit | c4164898def11c956348750c9b41fdbb06ddb069 (patch) | |
tree | a04720f5b76742f87c36ff51bff40afb5844b68d /includes/bootstrap.inc | |
parent | ea85d7c8e6f1793357841d0ba8d64f01cd3f69f4 (diff) | |
parent | b44056d2f8e8c71d35c85ec5c2fb8f7c8a02d8a8 (diff) | |
download | brdo-c4164898def11c956348750c9b41fdbb06ddb069.tar.gz brdo-c4164898def11c956348750c9b41fdbb06ddb069.tar.bz2 |
Merge tag '7.35' into 7.x
7.35 release
Conflicts:
CHANGELOG.txt
includes/bootstrap.inc
Diffstat (limited to 'includes/bootstrap.inc')
-rw-r--r-- | includes/bootstrap.inc | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 9f37dfcf1..b1dd6eb1f 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -8,7 +8,7 @@ /** * The current system version. */ -define('VERSION', '7.35-dev'); +define('VERSION', '7.36-dev'); /** * Core API compatibility. @@ -2497,6 +2497,26 @@ function _drupal_bootstrap_variables() { // Load bootstrap modules. require_once DRUPAL_ROOT . '/includes/module.inc'; module_load_all(TRUE); + + // Sanitize the destination parameter (which is often used for redirects) to + // prevent open redirect attacks leading to other domains. Sanitize both + // $_GET['destination'] and $_REQUEST['destination'] to protect code that + // relies on either, but do not sanitize $_POST to avoid interfering with + // unrelated form submissions. The sanitization happens here because + // url_is_external() requires the variable system to be available. + if (isset($_GET['destination']) || isset($_REQUEST['destination'])) { + require_once DRUPAL_ROOT . '/includes/common.inc'; + // If the destination is an external URL, remove it. + if (isset($_GET['destination']) && url_is_external($_GET['destination'])) { + unset($_GET['destination']); + unset($_REQUEST['destination']); + } + // If there's still something in $_REQUEST['destination'] that didn't come + // from $_GET, check it too. + if (isset($_REQUEST['destination']) && (!isset($_GET['destination']) || $_REQUEST['destination'] != $_GET['destination']) && url_is_external($_REQUEST['destination'])) { + unset($_REQUEST['destination']); + } + } } /** |