SA-CORE-2012-002 - Unvalidated form redirect

Here's the patch for D7 from the security team, to prevent someone from redirecting someone to evilhacker.com on login destination. Stock D6 is not vulnerable, but doesn't hurt to harden this up. Tagging accordingly.

Commit credit should go to chx, fago, greggles

Private tracker: #61499

Comment	File	Size	Author
#1	user-action-external-1558464-1-test-only.patch	973 bytes	Berdir
#1
#1	user-action-external-1558464-1.patch	1.57 KB	Berdir
#1
	sdo_61499_20_user_steal-D7-do-not-test.patch	1.5 KB	webchick

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Berdir’s picture

Comment #1

German

Switzerland

CreditAttribution: Berdir commented 4 May 2012 at 17:55

Status:

Active

» Needs review

File	Size
user-action-external-1558464-1.patch	1.57 KB

user-action-external-1558464-1-test-only.patch	973 bytes

Re-rolled.

Log in or register to post comments

aspilicious’s picture

Comment #2

aspilicious CreditAttribution: aspilicious commented 5 May 2012 at 14:12

Status:

Needs review

» Reviewed & tested by the community

Identical! :D

ciriticals--

Log in or register to post comments

Comment #3

she/they

English

Vancouver 🇨🇦

CreditAttribution: webchick commented 5 May 2012 at 17:00

Status:

Reviewed & tested by the community

» Fixed

Excellent, thank you!

Committed and pushed to 8.x.

Log in or register to post comments

Comment #4

19 May 2012 at 17:10

Automatically closed -- issue fixed for 2 weeks with no activity.

Log in or register to post comments

Comment #4.0

(not verified) CreditAttribution: commented 19 May 2012 at 17:10

Issue summary:

x

Log in or register to post comments