GNUsocial
/
gnu-social
4
0
Fork 1
Code Issues Releases Wiki Activity

OpenID extlib updated: Fixes CVE-2014-8150

This commit is contained in:
Mikael Nordfeldth 2015-08-02 13:39:38 +02:00
parent 266b032b17
commit b434243416
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
extlib/Auth/OpenID/URINorm.php
View File

@ -93,7 +93,17 @@ function Auth_OpenID_pct_encoded_replace_unreserved($mo)
function Auth_OpenID_pct_encoded_replace($mo)
{
return chr(intval($mo[1], 16));
$code = intval($mo[1], 16);
// Prevent request splitting by ignoring newline and space characters
if($code === 0xA || $code === 0xD || $code === ord(' '))
{
return $mo[0];
}
else
{
return chr($code);
}
}
function Auth_OpenID_remove_dot_segments($path)