Source Control Integration

Author	Committer	Branch	Timestamp	Parent
dregad	dregad	master	2017-05-13 14:47	master f21b56fa
Affected Issues	0022702: CVE-2017-7620: CSRF - Arbitrary Permalink Injection
Affected Issues	0022816: CVE-2017-7620: Open redirection vulnerability in /login_page.php
Changeset	Encode '\' in string_sanitize_url() As an extra safety measure following up on the fix for CVE-2017-7620, we encode the backslashes in the 'script' part of the URL to ensure that the sanitized URL is treated as a path relative to MantisBT root and not a link to an external site if the URL begins with an escaped `/`. This reduces the risk of someone being able to use the same attack vector in another page. Fixes 0022702, 0022816
Changeset	mod - core/string_api.php			Diff File