Changeset 15036 for branches/rel

Timestamp:

2007/07/11 12:31:03 (17 years ago)

Author:

adati

Message:

パラメータ操作によるリダイレクトが可能となる脆弱性を修正

File:

• branches/rel/html/frontparts/login_check.php (modified) (3 diffs)

branches/rel/html/frontparts/login_check.php

@@ -6 +6 @@
  */
 require_once("../require.php");
+
+// ÉÔÀµ¤ÊURL¤¬POST¤µ¤ì¤¿¾ì¹ç¤Ï¥¨¥é¡¼É½¼¨
+if (isset($_POST['url']) && lfIsValidURL() !== true) {
+    gfDebugLog("login_check.php debug \n" . $POST['url']);
+    sfDispSiteError(PAGE_ERROR);
+}
 
 $objCustomer = new SC_Customer();
@@ -22 +28 @@
     $arrErr = $objFormParam->checkError();
     $arrForm =  $objFormParam->getHashArray();
-    
     // ¥¯¥Ã¥­¡¼ÊݸȽÄê
     if ($arrForm['login_memory'] == "1" && $arrForm['login_email'] != "") {
@@ -73 +78 @@
     $objFormParam->addParam("¥Ñ¥¹¥ï¡¼¥É", "login_pass", STEXT_LEN, "", array("EXIST_CHECK", "MAX_LENGTH_CHECK"));
 }
+
+/* POST¤µ¤ì¤ëURL¤¬¼«¥É¥á¥¤¥ó¤Î¤â¤Î¤«¥Á¥§¥Ã¥¯*/
+function lfIsValidURL() {
+    $check_url = trim($_POST['url']);
+    
+    // ¥É¥á¥¤¥ó¥Á¥§¥Ã¥¯
+    $pattern = "|^$site_url|";
+    if (!preg_match($pattern, $check_url)) {
+        return false;
+    }
+
+    // CRLF¥Á¥§¥Ã¥¯
+    $pattern = '/\r|\n|%0D|%0A/';
+    if (preg_match_all($pattern, $check_url, $matches)) {
+        return false;
+    }
+    
+    return true;
+}
+
 ?>