* [Security] Redirection of comment.php now checks the referrer

and only allows the blog's host (thanks to Lee Sheldon Victor)
s9y · Jan 12, 2017 · 6285933 · 6285933
1 parent a487080
commit 6285933
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/comment.php b/comment.php
@@ -11,7 +11,7 @@
 
 if (isset($serendipity['GET']['delete'], $serendipity['GET']['entry'], $serendipity['GET']['type'])) {
     serendipity_deleteComment($serendipity['GET']['delete'], $serendipity['GET']['entry'], $serendipity['GET']['type']);
-    if (serendipity_isResponseClean($_SERVER['HTTP_REFERER'])) {
+    if (serendipity_isResponseClean($_SERVER['HTTP_REFERER']) && preg_match('@^https?://' . preg_quote($_SERVER['HTTP_HOST'], '@') . '@imsU')) {
         header('Status: 302 Found');
         header('Location: '. $_SERVER['HTTP_REFERER']);
         exit;

diff --git a/docs/NEWS b/docs/NEWS
@@ -17,6 +17,9 @@ Version 2.1 ()
 
     * [Security] Reject %0D/%0A in exit tracking and other places
       (Issue #434)
+
+    * [Security] Redirection of comment.php now checks the referrer
+      and only allows the blog's host (thanks to Lee Sheldon Victor)
 
     * Disabled Selenium test files unless enabled