SS-2015-021: Hash rewrite URL filtering
- Medium (?)
- Versions Affected:
- 3.1.15 and below, 3.2.0
- Versions Fixed:
- 3.1.16, 3.2.1
- Release Date:
When SSViewer rewrites has links, it takes the whole URL after the base and prepends it to the hash. So for http://example.com/foo, links like "#" become "/foo#". This prevents them being interpreted as relative to the base tag (i.e. as "http://example.com/#")
However this URL isn't well filtered, so a URL like http://example.com//evil.com will have it's hash links be rewritten to be "//evil.com#"
This fix has been resolved by pre-filtering $_SERVER['REQUEST_URI'] to clean leading double-slashes which would otherwise denote such urls as protocol-relative links.