Skip to content
GitLab
Commit 343ee2ae authored by Côme Chilliet's avatar Côme Chilliet
Browse files

Merge branch '5935-fatal-error-due-to-crsf-security' into '1.4-dev' 

Resolve "Fatal error due to CRSF security"

See merge request fusiondirectory/fd!475

(cherry picked from commit 555e9489)

597d64c9 :ambulance: fix(CSRFProtection) Split HTTP_X_FORWARDED_HOST to take only the first value
parent 6b041fcd
dev 6342-update-the-locales-for-1-5 6344-template-issue-when-creating-a-template-with-empty-password-error-message-should-not-be-seen 6365-core-locking-mechanism-is-not-changing-the-mail-ressource-it-does-lock-the-mail-account 6365-core-when-lock-mechanism-is-trigger-the-user-should-not-be-editable-if-not-unlock 6378-orcid-test-method-is-wrong-and-break-orcid-saving core-php8 master fusiondirectory-1.5 fusiondirectory-1.4 fusiondirectory-1.3.1 fusiondirectory-1.3
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 2 additions and 1 deletion
+2 -1
include/class_CSRFProtection.inc
+ 2
1
View file @ 343ee2ae
...@@ -56,7 +56,8 @@ class CSRFProtection ...@@ -56,7 +56,8 @@ class CSRFProtection
$origin = preg_replace('|^[^/]+://([^/]+)(/.*)?$|', '\1', $origin); $origin = preg_replace('|^[^/]+://([^/]+)(/.*)?$|', '\1', $origin);
$target = FALSE; $target = FALSE;
if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) { if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$target = $_SERVER['HTTP_X_FORWARDED_HOST']; /* Only take the first value, there may be several separated by commas */
list($target) = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST'], 2);
} else } else
if (!empty($_SERVER['HTTP_HOST'])) { if (!empty($_SERVER['HTTP_HOST'])) {
$target = $_SERVER['HTTP_HOST']; $target = $_SERVER['HTTP_HOST'];
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment