TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-14 18:52:05 +03:00
Code Issues Projects Releases Wiki Activity
f546a5ce1d
Ghost/core/server
History
Jesse Dijkstra f546a5ce1d Remove open redirect by removing double slashes from redirects (#7247) 
no issue

Double slashes are treated as a HTTP calls as specified in [RFC1801](http://www.ietf.org/rfc/rfc1808.txt). Because of this behaviour the uncapitalise created an open redirect. By removing double slashes in the path we ensure open redirects cannot be created.

As an example, please click the following URL: https://dev.ghost.org///Google.com/.

This issue  has been reported by pentesters of our product [LearningSpaces.io](http://learningspaces.io).
2016-08-23 13:47:59 +02:00
..
api fix: delete unused theme endpoints (#7231) 2016-08-22 10:54:54 +01:00
apps [FEATURE] AMP (#7229) 2016-08-22 18:49:27 +02:00
config feature: storage adapter for images and themes (#7241) 2016-08-22 18:55:28 +01:00
controllers [FEATURE] AMP (#7229) 2016-08-22 18:49:27 +02:00
data [FEATURE] AMP (#7229) 2016-08-22 18:49:27 +02:00
errors Allow maintenance mode to be set in config.js (#7124) 2016-07-25 21:28:35 +02:00
events post-scheduling 2016-06-14 10:52:13 +02:00
helpers [FEATURE] AMP (#7229) 2016-08-22 18:49:27 +02:00
mail 🐛 Don't overwrite config.theme.title in GhostMail (#7224) 2016-08-19 10:22:07 +02:00
middleware Remove open redirect by removing double slashes from redirects (#7247) 2016-08-23 13:47:59 +02:00
models fix: "url" field is undefined when restricting returned fields (#7089) 2016-07-18 22:21:47 +02:00
permissions deps: lodash@4.13.1 2016-06-11 13:13:55 -06:00
routes fix: delete unused theme endpoints (#7231) 2016-08-22 10:54:54 +01:00
scheduling post-scheduling: delete job but time is null (#7035) 2016-06-28 20:14:29 +02:00
storage improvement: ensure custom storage adapter has required functions (#7234) 2016-08-22 22:51:42 +01:00
translations feature: upload validation middleware (#7208) 2016-08-18 20:25:51 +01:00
utils Remove open redirect by removing double slashes from redirects (#7247) 2016-08-23 13:47:59 +02:00
views Switch to new native system font stack (#7219) 2016-08-18 20:29:46 +01:00
filters.js Misc grunt /dev updates 2015-05-28 20:25:14 +01:00
ghost-server.js Harvest server side strings 2015-12-19 12:12:16 +01:00
i18n.js improvement: general fixes 2016-06-01 07:07:20 +02:00
index.js fix: enable maintenance mode only if there is an upgrade to perform (#7129) 2016-07-26 09:56:07 +01:00
overrides.js deps: lodash@4.13.1 2016-06-11 13:13:55 -06:00
update-check.js Support for custom notifications (#7077) 2016-07-22 14:02:10 +01:00