[M-6] UrlValidator::safeRedirectPath doesn't URL-encode fragment

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: MEDIUM

Location: src/Services/UrlValidator.php:168-170

Bug: Raw fragment appended to Location header; may contain control characters.

Fix: rawurlencode($frag) before appending.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:47pm

Resolved.

UrlValidator::safeRedirectPath now sanitises path/query/fragment before reassembly (src/Services/UrlValidator.php):

  • All three parts strip bytes 0x00–0x1F and 0x7F (control characters that some clients treat as header terminators).
  • Fragment is additionally rawurlencode()d before being appended after #.

All 7 UrlValidator tests still pass. A crafted Referer with control chars or #javascript: bytes can no longer slip through into a Location: header.

Locking this thread.

Related Discussions

[L-9] handleVerifyEmail doesn't regenerate session
Security Issues · 0 replies · 0 views
[M-25] ForumMember::accept doesn't check current role
Security Issues · 0 replies · 1 views
[M-17] startConversation (POST) doesn't check recipient role >= 2
Security Issues · 0 replies · 0 views
[H-10] toggleSubscription doesn't verify target visibility
Security Issues · 0 replies · 0 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy