3f71cd4547c5afb1a52d80d9290fb76fc826e0a0
galt
Fri Jan 10 15:18:12 2020 -0800
expanding filtering to take in just "//" since it is equivalent to "://" and we want to forbid both. This url pattern is a protocol-agnostic form which uses the context of the page. Reported to us as XSS violation. refs#24750.
diff --git src/hg/cartReset/cartReset.c src/hg/cartReset/cartReset.c
index 28956d9..bdf6330 100644
--- src/hg/cartReset/cartReset.c
+++ src/hg/cartReset/cartReset.c
@@ -1,52 +1,52 @@
/* cartReset - Reset cart. */
/* Copyright (C) 2013 The Regents of the University of California
* See README in this or parent directory for licensing information. */
#include "common.h"
#include "linefile.h"
#include "hash.h"
#include "cheapcgi.h"
#include "htmshell.h"
#include "hui.h"
#include "cart.h"
static char *defaultDestination = "../cgi-bin/hgGateway";
void doMiddle()
/* cartReset - Reset cart. */
{
cartResetInDb(hUserCookie());
/*
//Keep in case we need it later. The standards say we should provide
//a clickable link for browsers that do not support meta refresh
printf("Your settings are now reset to defaults.
");
char *destination = cgiUsualString("destination", defaultDestination);
printf("You will be automatically redirected to the gateway page in 0 second,\n"
" or you can
click here to continue.\n",
destination);
*/
}
int main(int argc, char *argv[])
/* Process command line. */
{
long enteredMainTime = clock1000();
struct dyString *headText = newDyString(512);
char *destination = cgiUsualString("destination", defaultDestination);
-if (strstr(destination, "://"))
+if (strstr(destination, "//"))
errAbort("To stop Open Redirect abuse, only relative URLs are supported. "
"Request for destination=[%s] rejected.\n", destination);
dyStringPrintf(headText,
""
""
""
,destination);
htmShellWithHead("Reset Cart", headText->string, doMiddle, NULL);
dyStringFree(&headText);
cgiExitTime("cartReset", enteredMainTime);
return 0;
}