From 35e78af20ba4bd5078934188635175d356f1e996 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 14 Apr 2017 00:47:13 +0200
Subject: [PATCH] Encode '\' in string_sanitize_url()

John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org
reported a CSRF vulnerability in permalink_page.php, allowing an
attacker to inject arbitrary links (CVE-2017-7620).

Encoding the backslashes in the 'script' part of the URL ensures that
the sanitized URL is treated as relative to MantisBT root and not a link
to an external site.

Fixes #22702
---
 core/string_api.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/string_api.php b/core/string_api.php
index 4e3c238..1c5e84b 100644
--- a/core/string_api.php
+++ b/core/string_api.php
@@ -275,7 +275,8 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
 	}
 
 	# Start extracting regex matches
-	$t_script = $t_matches['script'];
+	# Encode backslashes to prevent CSRF attacks
+	$t_script = strtr( $t_matches['script'], array( '\\' => '%5C' ) );
 	$t_script_path = $t_matches['path'];
 
 	# Clean/encode query params
-- 
2.7.4