aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-17 22:14:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix a bunch of open redirect vulns

Browse Source
This commit is contained in:
nicolas.dorier
2022-05-13 10:26:20 +09:00
parent e597b2177c
commit 4eb143c265
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
BTCPayServer/Controllers/UINotificationsController.cs
View File

@@ -217,7 +217,7 @@ namespace BTCPayServer.Controllers
return NotFound(); return NotFound();
} }
await _notificationManager.ToggleSeen(new NotificationsQuery() { Seen = false, UserId = userId }, true); await _notificationManager.ToggleSeen(new NotificationsQuery() { Seen = false, UserId = userId }, true);
return Redirect(returnUrl); return LocalRedirect(returnUrl);
} }
private bool ValidUserClaim(out string userId) private bool ValidUserClaim(out string userId)

6
BTCPayServer/Controllers/UIWalletsController.PSBT.cs
View File

@@ -101,7 +101,7 @@ namespace BTCPayServer.Controllers
if (bumpableUTXOs.Length == 0) if (bumpableUTXOs.Length == 0)
{ {
TempData[WellKnownTempData.ErrorMessage] = "There isn't any UTXO available to bump fee"; TempData[WellKnownTempData.ErrorMessage] = "There isn't any UTXO available to bump fee";
return Redirect(returnUrl); return LocalRedirect(returnUrl);
} }
Money bumpFee = Money.Zero; Money bumpFee = Money.Zero;
foreach (var txid in bumpableUTXOs.Select(u => u.TransactionHash).ToHashSet()) foreach (var txid in bumpableUTXOs.Select(u => u.TransactionHash).ToHashSet())
@@ -146,7 +146,7 @@ namespace BTCPayServer.Controllers
} catch (Exception ex) { } catch (Exception ex) {
TempData[WellKnownTempData.ErrorMessage] = ex.Message; TempData[WellKnownTempData.ErrorMessage] = ex.Message;
return Redirect(returnUrl); return LocalRedirect(returnUrl);
} }
} }
@@ -526,7 +526,7 @@ namespace BTCPayServer.Controllers
var returnUrl = this.HttpContext.Request.Query["returnUrl"].FirstOrDefault(); var returnUrl = this.HttpContext.Request.Query["returnUrl"].FirstOrDefault();
if (returnUrl is not null) if (returnUrl is not null)
{ {
return Redirect(returnUrl); return LocalRedirect(returnUrl);
} }
return RedirectToAction(nameof(WalletTransactions), new { walletId = walletId.ToString() }); return RedirectToAction(nameof(WalletTransactions), new { walletId = walletId.ToString() });
} }