aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-17 22:14:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix a bunch of open redirect vulns

Browse Source
This commit is contained in:
nicolas.dorier
2022-05-13 10:26:20 +09:00
parent e597b2177c
commit 4eb143c265
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
BTCPayServer/Controllers/UINotificationsController.cs
View File

@@ -217,7 +217,7 @@ namespace BTCPayServer.Controllers
return NotFound();
}
await _notificationManager.ToggleSeen(new NotificationsQuery() { Seen = false, UserId = userId }, true);
return Redirect(returnUrl);
return LocalRedirect(returnUrl);
}
private bool ValidUserClaim(out string userId)

6
BTCPayServer/Controllers/UIWalletsController.PSBT.cs
View File

@@ -101,7 +101,7 @@ namespace BTCPayServer.Controllers
if (bumpableUTXOs.Length == 0)
{
TempData[WellKnownTempData.ErrorMessage] = "There isn't any UTXO available to bump fee";
return Redirect(returnUrl);
return LocalRedirect(returnUrl);
}
Money bumpFee = Money.Zero;
foreach (var txid in bumpableUTXOs.Select(u => u.TransactionHash).ToHashSet())
@@ -146,7 +146,7 @@ namespace BTCPayServer.Controllers
} catch (Exception ex) {
TempData[WellKnownTempData.ErrorMessage] = ex.Message;
return Redirect(returnUrl);
return LocalRedirect(returnUrl);
}
}
@@ -526,7 +526,7 @@ namespace BTCPayServer.Controllers
var returnUrl = this.HttpContext.Request.Query["returnUrl"].FirstOrDefault();
if (returnUrl is not null)
{
return Redirect(returnUrl);
return LocalRedirect(returnUrl);
}
return RedirectToAction(nameof(WalletTransactions), new { walletId = walletId.ToString() });
}