MirrorMirror
/
lufi
mirror of https://framagit.org/fiat-tux/hat-softwares/lufi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix header injection and open redirects from referrer header

This commit is contained in:
Luc Didry 2018-10-26 17:34:50 +02:00
parent 72404aaf99
commit c64d26a292
No known key found for this signature in database
GPG Key ID: EA868E12D0257E3C
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/Lufi/Controller/Misc.pm
View File

@ -2,6 +2,7 @@
package Lufi::Controller::Misc;
use Mojo::Base 'Mojolicious::Controller';
use Mojo::File;
use Mojo::URL;
use Lufi::DB::File;
sub index {
@ -21,7 +22,8 @@ sub change_lang {
$c->cookie($c->app->moniker.'_lang' => $l, { path => $c->config('prefix') });
}
if ($c->req->headers->referrer) {
if ($c->req->headers->referrer
&& Mojo::URL->new($c->req->headers->referrer)->host eq $c->req->url->host) {
return $c->redirect_to($c->req->headers->referrer);
} else {
return $c->redirect_to('/');