daenamnu/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2026-06-03 09:20:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: null-check currentScript, handle apcu_inc failure, use apcu_fetch success param

Browse Source 
Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/f1016d36-0771-46e0-992c-95ce22594414

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-05-04 10:09:07 +00:00
committed by GitHub
parent 79e05f33cd
commit a415c76ad2
2 changed files with 26 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
php/public/clean-history.js
View File

@@ -10,11 +10,17 @@
// We replace with location.pathname only (no query string, no hash), which
// intentionally strips the ?token=… parameter and any hash fragment from the
// recorded history entry.
const rawTarget = document.currentScript.dataset.target;
// Only accept the exact relative path we set server-side to prevent any
// potential open-redirect via a manipulated data-target value.
const target = rawTarget === '../../' ? rawTarget : '/';
// Guard against environments where document.currentScript may be null.
if (!document.currentScript) {
window.location.replace('/');
} else {
const rawTarget = document.currentScript.dataset.target;
history.replaceState(null, '', location.pathname);
window.location.replace(target);
// Only accept the exact relative path we set server-side to prevent any
// potential open-redirect via a manipulated data-target value.
const target = rawTarget === '../../' ? rawTarget : '/';
history.replaceState(null, '', location.pathname);
window.location.replace(target);
}