eliseuamaro/gnu-social
1
0
Fork 0
forked from GNUsocial/gnu-social
Code Issues Pull Requests Releases Wiki Activity

OpenID extlib updated: Fixes CVE-2014-8150

Browse Source
This commit is contained in:
Mikael Nordfeldth 2015-08-02 13:39:38 +02:00
parent 266b032b17
commit b434243416
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
extlib/Auth/OpenID/URINorm.php
View File

@ -93,7 +93,17 @@ function Auth_OpenID_pct_encoded_replace_unreserved($mo)
function Auth_OpenID_pct_encoded_replace($mo) function Auth_OpenID_pct_encoded_replace($mo)
{ {
return chr(intval($mo[1], 16)); $code = intval($mo[1], 16);
// Prevent request splitting by ignoring newline and space characters
if($code === 0xA || $code === 0xD || $code === ord(' '))
{
return $mo[0];
}
else
{
return chr($code);
}
} }
function Auth_OpenID_remove_dot_segments($path) function Auth_OpenID_remove_dot_segments($path)