We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

Commit b4342434 authored by mattl's avatar mattl

OpenID extlib updated: Fixes CVE-2014-8150

parent 266b032b
......@@ -93,7 +93,17 @@ function Auth_OpenID_pct_encoded_replace_unreserved($mo)
function Auth_OpenID_pct_encoded_replace($mo)
{
return chr(intval($mo[1], 16));
$code = intval($mo[1], 16);
// Prevent request splitting by ignoring newline and space characters
if($code === 0xA || $code === 0xD || $code === ord(' '))
{
return $mo[0];
}
else
{
return chr($code);
}
}
function Auth_OpenID_remove_dot_segments($path)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment