Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #2140447 by larowlan, Heine: Open redirect in overlay (forward port of SA-CORE-2013-003).

8.0.x
webchick 2013-11-22 15:29:47 -08:00
parent 9d46714d97
commit 15a9a70046
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
core/modules/overlay/lib/Drupal/overlay/EventSubscriber/OverlaySubscriber.php
View File

@ -9,6 +9,7 @@ namespace Drupal\overlay\EventSubscriber;
use Drupal\Core\ContentNegotiation;
use Drupal\Core\Routing\UrlGeneratorInterface;
use Drupal\Component\Utility\Url;
use Drupal\user\UserData;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
@ -106,6 +107,10 @@ class OverlaySubscriber implements EventSubscriberInterface {
// If this page shouldn't be rendered inside the overlay, redirect to
// the parent.
elseif (!path_is_admin($current_path)) {
// Prevent open redirects by ensuring the current path is not an absolute URL.
if (Url::isExternal($current_path)) {
$current_path = '<front>';
}
$response = overlay_close_dialog($current_path, array('query' => drupal_get_query_parameters(NULL, array('render'))));
$event->setResponse($response);
}