Vulnerability: redirect_goto() leads to the blank page due to translation flow [#2820766]

redirect_goto leads to the blank page always if some of the status codes here redirect_status_code_options() is translated not correctly.

Source of the issue is: drupal_add_http_header('Status', redirect_status_code_options($redirect->status_code));

As in redirect_status_code_options() statuses are wrapped in t(), it can be a reason of vulnerability.

Status header should be started always with the number like "301 ...", if someone translates locale string for example "301 Moved Permanently" like "Content is moved (301)", redirects become to be broken for whole site.

Comment	File	Size	Author
#3	redirect.status-codes-issue.2820766-2.patch	852 bytes	anton.shloma
#3	7.x-2.x: PHP 5.3 & MySQL 5.5, D7 9 pass PHP 5.6 & MySQL 5.5, D7 9 pass
#2	redirect.status-codes-issue.2820766.patch	1 KB	anton.shloma
#2	7.x-2.x: PHP 5.3 & MySQL 5.5, D7 Patch failed to apply PHP 5.6 & MySQL 5.5, D7 Patch failed to apply

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

20 October 2016 at 12:47

anton.shloma created an issue. See original summary.

Comment #2

anton.shloma CreditAttribution: anton.shloma as a volunteer and at DrupalJedi commented 20 October 2016 at 12:50

File	Size
redirect.status-codes-issue.2820766.patch	1 KB
7.x-2.x: PHP 5.3 & MySQL 5.5, D7 Patch failed to apply PHP 5.6 & MySQL 5.5, D7 Patch failed to apply

Here is simple patch, which fixes this vulnerability.

Comment #3

anton.shloma CreditAttribution: anton.shloma as a volunteer and at DrupalJedi commented 20 October 2016 at 12:59

File	Size
redirect.status-codes-issue.2820766-2.patch	852 bytes
7.x-2.x: PHP 5.3 & MySQL 5.5, D7 9 pass PHP 5.6 & MySQL 5.5, D7 9 pass

Sry, correct patch is attached

Comment #4

anton.shloma CreditAttribution: anton.shloma as a volunteer and at DrupalJedi commented 20 October 2016 at 13:00

Status:

Active

» Needs review

Needs review

» Reviewed & tested by the community

Yes, this looks good indeed. The actual status code number should not be passed to translators.

Comment #8

pifagor

🇺🇦 Rivne

CreditAttribution: pifagor at GOLEMS GABB for GOLEMS GABB commented 20 March 2018 at 05:36

1 file was hidden/shown/deleted

File	Size
redirect.status-codes-issue.2820766.patch	1 KB
7.x-2.x: PHP 5.3 & MySQL 5.5, D7 Patch failed to apply PHP 5.6 & MySQL 5.5, D7 Patch failed to apply

RTBC

Comment #9

alex_optim

🇺🇦 Rivne

CreditAttribution: alex_optim at GOLEMS GABB for GOLEMS GABB commented 4 October 2018 at 19:52

Looks good.

Comment #10

pifagor

🇺🇦 Rivne

CreditAttribution: pifagor at Drupal Ukraine Community, GOLEMS GABB for GOLEMS GABB, Drupal Ukraine Community commented 5 October 2018 at 05:16

Comment #11

5 October 2018 at 05:16

pifagor committed 5e1ed05 on 7.x-2.x authored by anton.shloma

Issue #2820766 by anton.shloma, pifagor, Stevel, alex_optim:...

Comment #12

5 October 2018 at 05:17

pifagor committed 205a166 on 7.x-1.x authored by anton.shloma

Issue #2820766 by anton.shloma, pifagor, Stevel, alex_optim:...

Comment #13

pifagor

🇺🇦 Rivne

CreditAttribution: pifagor at Drupal Ukraine Community, GOLEMS GABB for GOLEMS GABB, Drupal Ukraine Community commented 5 October 2018 at 05:17

Status:

Reviewed & tested by the community

» Fixed

Comment #14

19 October 2018 at 05:19

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Comment #15

ciss CreditAttribution: ciss at yousign GmbH commented 4 October 2019 at 13:04

Isn't the real issue here that the translated string is used in the status header?

Comment #16

ciss CreditAttribution: ciss at yousign GmbH commented 2 October 2019 at 22:49

... Well, the good news is that header injections are prevented by PHP:

Warning: Header may not contain more than a single header, new line detected in drupal_send_headers() (line 1499 of /var/www/html.original/includes/bootstrap.inc).