Headline
CVE-2023-0606: sanitize special characters in action gets · ampache/ampache@d319150
Cross-site Scripting (XSS) - Reflected in GitHub repository ampache/ampache prior to 5.5.7.
@@ -419,7 +419,7 @@ public function run(ServerRequestInterface $request, GuiGatekeeperInterface $gat
}
// play the song instead of going through all the crap
header('Location: ' . $media->play_url('’, $player, false, $user->id, $user->streamtoken));
header('Location: ' . $media->play_url('’, $player, false, $user->id, $user->streamtoken), true, 303);
return null;
}
@@ -459,7 +459,7 @@ public function run(ServerRequestInterface $request, GuiGatekeeperInterface $gat
}
// play the song instead of going through all the crap
header('Location: ' . $media->play_url('’, $player, false, $user->id, $user->streamtoken));
header('Location: ' . $media->play_url('’, $player, false, $user->id, $user->streamtoken), true, 303);
return null;
}
@@ -533,7 +533,7 @@ public function run(ServerRequestInterface $request, GuiGatekeeperInterface $gat
if ($type == “song_preview” && $media instanceof Song_Preview) {
$media->stream();
} else {
header('Location: ' . $media->file);
header('Location: ' . $media->file, true, 303);
return null;
}