forked from GNUsocial/gnu-social
OpenID extlib updated: Fixes CVE-2014-8150
This commit is contained in:
parent
204f6bb503
commit
c1e6e4e65b
@ -93,7 +93,17 @@ function Auth_OpenID_pct_encoded_replace_unreserved($mo)
|
|||||||
|
|
||||||
function Auth_OpenID_pct_encoded_replace($mo)
|
function Auth_OpenID_pct_encoded_replace($mo)
|
||||||
{
|
{
|
||||||
return chr(intval($mo[1], 16));
|
$code = intval($mo[1], 16);
|
||||||
|
|
||||||
|
// Prevent request splitting by ignoring newline and space characters
|
||||||
|
if($code === 0xA || $code === 0xD || $code === ord(' '))
|
||||||
|
{
|
||||||
|
return $mo[0];
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
return chr($code);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function Auth_OpenID_remove_dot_segments($path)
|
function Auth_OpenID_remove_dot_segments($path)
|
||||||
|
Loading…
Reference in New Issue
Block a user