X-Git-Url: http://www.aleph1.co.uk/gitweb/?a=blobdiff_plain;ds=sidebyside;f=web%2Fcore%2Flib%2FDrupal%2FCore%2FSecurity%2FRequestSanitizer.php;fp=web%2Fcore%2Flib%2FDrupal%2FCore%2FSecurity%2FRequestSanitizer.php;h=e1626ed3831fc5315592b473e4343f44bc2e256c;hb=0bf8d09d2542548982e81a441b1f16e75873a04f;hp=44815f68cd49313dbe36d632ddcf18643768fdcd;hpb=74df008bdbb3a11eeea356744f39b802369bda3c;p=yaffs-website

diff --git a/web/core/lib/Drupal/Core/Security/RequestSanitizer.php b/web/core/lib/Drupal/Core/Security/RequestSanitizer.php
index 44815f68c..e1626ed38 100644
--- a/web/core/lib/Drupal/Core/Security/RequestSanitizer.php
+++ b/web/core/lib/Drupal/Core/Security/RequestSanitizer.php
@@ -34,7 +34,7 @@ class RequestSanitizer {
    * @param string[] $whitelist
    *   An array of keys to whitelist as safe. See default.settings.php.
    * @param bool $log_sanitized_keys
-   *   (optional) Set to TRUE to log an keys that are sanitized.
+   *   (optional) Set to TRUE to log keys that are sanitized.
    *
    * @return \Symfony\Component\HttpFoundation\Request
    *   The sanitized request.
@@ -90,7 +90,8 @@ class RequestSanitizer {
     }
 
     if ($bag->has('destination')) {
-      $destination_dangerous_keys = static::checkDestination($bag->get('destination'), $whitelist);
+      $destination = $bag->get('destination');
+      $destination_dangerous_keys = static::checkDestination($destination, $whitelist);
       if (!empty($destination_dangerous_keys)) {
         // The destination is removed rather than sanitized because the URL
         // generator service is not available and this method is called very
@@ -101,6 +102,16 @@ class RequestSanitizer {
           trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it contained the following keys: %s', $bag_name, implode(', ', $destination_dangerous_keys)));
         }
       }
+      // Sanitize the destination parameter (which is often used for redirects)
+      // to prevent open redirect attacks leading to other domains.
+      if (UrlHelper::isExternal($destination)) {
+        // The destination is removed because it is an external URL.
+        $bag->remove('destination');
+        $sanitized = TRUE;
+        if ($log_sanitized_keys) {
+          trigger_error(sprintf('Potentially unsafe destination removed from %s parameter bag because it points to an external URL.', $bag_name));
+        }
+      }
     }
     return $sanitized;
   }