Merge branch 'security/validate-refresh' into 4.0.0-releng

Fixes CVE-2011-1689
bestpractical · Apr 14, 2011 · e77f11b · e77f11b
2 parents c32b196 + 86812b5
commit e77f11b
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/share/html/Elements/Header b/share/html/Elements/Header
@@ -55,7 +55,8 @@
     <title><%$Title%></title>
 
 % if ($Refresh && $Refresh =~ /^(\d+)/ && $1 > 0) {
-    <meta http-equiv="refresh" content="<% $Refresh %>" />
+%   my $URL = $m->notes->{LogoutURL}; $URL = $URL ? ";URL=$URL" : "";
+    <meta http-equiv="refresh" content="<% "$1$URL" %>" />
 % }
 
 <link rel="shortcut icon" href="<%RT->Config->Get('WebImagesURL')%>favicon.png" type="image/png" />

diff --git a/share/html/NoAuth/Logout.html b/share/html/NoAuth/Logout.html
@@ -45,7 +45,7 @@
 %# those contributions and any derivatives thereof.
 %#
 %# END BPS TAGGED BLOCK }}}
-<& /Elements/Header, Title => loc('Logout'), Refresh => RT->Config->Get('LogoutRefresh').";URL=$URL" &>
+<& /Elements/Header, Title => loc('Logout'), Refresh => RT->Config->Get('LogoutRefresh') &>
 </div>
 
 <div id="body" class="login-body">
@@ -81,4 +81,5 @@
 }
 
 $m->callback( %ARGS, CallbackName => 'AfterSessionDelete' );
+$m->notes->{LogoutURL} = $URL;
 </%INIT>