Headline
CVE-2023-22729: [CVE-2023-22729] Escaped double slash is absolute URL · silverstripe/silverstripe-framework@1a5bb4c
Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.
@@ -232,6 +232,9 @@ public function provideAbsolutePaths() public function testIsAbsoluteUrl() { $this->assertTrue(Director::is_absolute_url(‘http://test.com/testpage’)); $this->assertTrue(Director::is_absolute_url(‘https:/\\test.com’)); $this->assertTrue(Director::is_absolute_url(‘https:\\/test.com’)); $this->assertTrue(Director::is_absolute_url(‘https:\\\\test.com’)); $this->assertTrue(Director::is_absolute_url(‘ftp://test.com’)); $this->assertFalse(Director::is_absolute_url(‘test.com/testpage’)); $this->assertFalse(Director::is_absolute_url(‘/relative’)); @@ -241,6 +244,11 @@ public function testIsAbsoluteUrl() $this->assertTrue(Director::is_absolute_url(“https://test.com/?url=http://foo.com”)); $this->assertTrue(Director::is_absolute_url(“trickparseurl:http://test.com”)); $this->assertTrue(Director::is_absolute_url(‘//test.com’)); $this->assertTrue(Director::is_absolute_url(‘\\/\\/test.com’)); $this->assertTrue(Director::is_absolute_url(‘\/\/test.com’)); $this->assertTrue(Director::is_absolute_url(‘/\\test.com’)); $this->assertTrue(Director::is_absolute_url(‘\\\\test.com’)); $this->assertFalse(Director::is_absolute_url(‘\\test.com’)); $this->assertTrue(Director::is_absolute_url(‘/////test.com’)); $this->assertTrue(Director::is_absolute_url(' ///test.com’)); $this->assertTrue(Director::is_absolute_url(‘http:test.com’)); @@ -258,8 +266,17 @@ public function testIsRelativeUrl() { $this->assertFalse(Director::is_relative_url(‘http://test.com’)); $this->assertFalse(Director::is_relative_url(‘https://test.com’)); $this->assertFalse(Director::is_relative_url(‘https:/\\test.com’)); $this->assertFalse(Director::is_relative_url(‘https:\\/test.com’)); $this->assertFalse(Director::is_relative_url(‘https:\\\\test.com’)); $this->assertFalse(Director::is_relative_url(' https://test.com/testpage ')); $this->assertTrue(Director::is_relative_url(‘test.com/testpage’)); $this->assertFalse(Director::is_relative_url(‘//test.com’)); $this->assertFalse(Director::is_relative_url(‘\\/\\/test.com’)); $this->assertFalse(Director::is_relative_url(‘\/\/test.com’)); $this->assertFalse(Director::is_relative_url(‘/\\test.com’)); $this->assertFalse(Director::is_relative_url(‘\\\\test.com’)); $this->assertTrue(Director::is_relative_url(‘\\test.com’)); $this->assertFalse(Director::is_relative_url(‘ftp://test.com’)); $this->assertTrue(Director::is_relative_url(‘/relative’)); $this->assertTrue(Director::is_relative_url(‘relative’)); @@ -401,17 +418,34 @@ public function testMakeRelative($baseURL, $requestURL, $relativeURL) ); }
/** * Mostly tested by {@link testIsRelativeUrl()}, * just adding the host name matching aspect here. */ public function testIsSiteUrl() { $this->assertFalse(Director::is_site_url(“http://test.com”)); $this->assertFalse(Director::is_site_url(‘http://test.com’)); $this->assertTrue(Director::is_site_url(‘/relative-path’)); $this->assertTrue(Director::is_site_url(‘relative-path’)); $this->assertTrue(Director::is_site_url(Director::absoluteBaseURL())); $this->assertFalse(Director::is_site_url(“http://test.com?url=” . Director::absoluteBaseURL())); $this->assertFalse(Director::is_site_url(“http://test.com?url=” . urlencode(Director::absoluteBaseURL() ?? ‘’))); $this->assertFalse(Director::is_site_url(“//test.com?url=” . Director::absoluteBaseURL())); $this->assertFalse(Director::is_site_url(‘http://test.com?url=’ . Director::absoluteBaseURL())); $this->assertFalse(Director::is_site_url(‘http://test.com?url=’ . urlencode(Director::absoluteBaseURL() ?? ‘’))); $this->assertFalse(Director::is_site_url(‘http:\\\\test.com’)); $this->assertFalse(Director::is_site_url(‘http:\\\\test.com?url=’ . Director::absoluteBaseURL())); $this->assertFalse(Director::is_site_url(‘http:\\\\test.com?url=’ . urlencode(Director::absoluteBaseURL() ?? ‘’))); $this->assertFalse(Director::is_site_url(‘http:\\/test.com’)); $this->assertFalse(Director::is_site_url(‘http:\\/test.com?url=’ . Director::absoluteBaseURL())); $this->assertFalse(Director::is_site_url(‘http:\\/test.com?url=’ . urlencode(Director::absoluteBaseURL() ?? ‘’))); $this->assertFalse(Director::is_site_url(‘//test.com’)); $this->assertFalse(Director::is_site_url(‘//test.com?url=’ . Director::absoluteBaseURL())); $this->assertFalse(Director::is_site_url(‘\\/\\/test.com’)); $this->assertFalse(Director::is_site_url(‘\\/\\/test.com?url=’ . Director::absoluteBaseURL())); $this->assertFalse(Director::is_site_url(‘\/\/test.com’)); $this->assertFalse(Director::is_site_url(‘\/\/test.com?url=’ . Director::absoluteBaseURL())); $this->assertFalse(Director::is_site_url(‘\\/test.com’)); $this->assertFalse(Director::is_site_url(‘\\/test.com?url=’ . Director::absoluteBaseURL())); $this->assertFalse(Director::is_site_url(‘/\\test.com’)); $this->assertFalse(Director::is_site_url(‘/\\test.com?url=’ . Director::absoluteBaseURL())); $this->assertFalse(Director::is_site_url(‘\\\\test.com’)); $this->assertFalse(Director::is_site_url(‘\\\\test.com?url=’ . Director::absoluteBaseURL())); $this->assertTrue(Director::is_site_url(‘\\test.com’)); $this->assertTrue(Director::is_site_url(‘\\test.com?url=’ . Director::absoluteBaseURL())); $this->assertFalse(Director::is_site_url(‘http://google.com\@test.com’)); $this->assertFalse(Director::is_site_url(‘http://google.com/@test.com’)); $this->assertFalse(Director::is_site_url(‘http://google.com:pass\@test.com’));
Related news
An attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Upgrade to `silverstripe/framework` 4.12.5 or above to remedy the vulnerability. Reporter: Matthew Dekker