greggy/landingpage-haus-schleusingen
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): replace REQUEST_URI with fixed path in redirects (#43)
All checks were successful
Deploy Feature Branch to Test / deploy (push) Successful in 24s
Details
Lint / PHP Syntax Check (push) Successful in 33s
Details
Lint / CSS Lint (stylelint) (push) Successful in 1m14s
Details
Lint / HTML Lint (htmlhint) (push) Successful in 1m8s
Details
Lint / PHP Syntax Check (pull_request) Successful in 32s
Details
Lint / CSS Lint (stylelint) (pull_request) Successful in 1m12s
Details
Lint / HTML Lint (htmlhint) (pull_request) Successful in 1m8s
Details

Browse Source 
- Replace all 3 occurrences of $_SERVER['REQUEST_URI'] with '/'
- Prevents potential open redirect via client-controlled REQUEST_URI
- Safe since contact form only exists on homepage

Fix #43
This commit is contained in:
Claw (KI-Assistent)
2026-05-21 23:06:19 +00:00
parent 36b5639801
commit d44fb337e2
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/controllers/HomeController.php
View File

@@ -51,7 +51,7 @@ class HomeController extends Controller
$honeypot = $normalizeContactValue((string) ($_POST['website'] ?? ''));
if ($honeypot !== '') {
header('Location: ' . $_SERVER['REQUEST_URI'] . '#form-result');
header('Location: /#form-result');
$_SESSION['form_success'] = true;
exit;
} else {
@@ -102,7 +102,7 @@ class HomeController extends Controller
if ($mailSent) {
$_SESSION['last_contact_submit'] = time();
header('Location: ' . $_SERVER['REQUEST_URI'] . '#form-result');
header('Location: /#form-result');
$_SESSION['form_success'] = true;
exit;
} else {
@@ -111,7 +111,7 @@ class HomeController extends Controller
}
}
if (!empty($formErrors)) {
header('Location: ' . $_SERVER['REQUEST_URI'] . '#form-result');
header('Location: /#form-result');
$_SESSION['form_errors'] = $formErrors;
$_SESSION['form_data'] = $formData;
exit;