Here's the patch for D7 from the security team, to prevent someone from redirecting someone to evilhacker.com on login destination. Stock D6 is not vulnerable, but doesn't hurt to harden this up. Tagging accordingly.
Commit credit should go to chx, fago, greggles
Private tracker: #61499
Comment | File | Size | Author |
---|---|---|---|
#1 | user-action-external-1558464-1-test-only.patch | 973 bytes | Berdir |
#1 | user-action-external-1558464-1.patch | 1.57 KB | Berdir |
sdo_61499_20_user_steal-D7-do-not-test.patch | 1.5 KB | webchick | |
Comments
Comment #1
BerdirRe-rolled.
Comment #2
aspilicious CreditAttribution: aspilicious commentedIdentical! :D
ciriticals--
Comment #3
webchickExcellent, thank you!
Committed and pushed to 8.x.
Comment #4.0
(not verified) CreditAttribution: commentedx