N°2306 - Security hardening

2026-02-27 22:24:12 +01:00 · 2020-01-07 13:53:10 +01:00
parent 864ded2102
commit acf28ca4aa
2 changed files with 7 additions and 6 deletions
--- a/datamodels/2.x/itop-portal-base/portal/src/Controller/UserProfileBrickController.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Controller/UserProfileBrickController.php
@@ -1,7 +1,7 @@
 <?php

 /**
- * Copyright (C) 2013-2019 Combodo SARL
+ * Copyright (C) 2013-2020 Combodo SARL
 *
 * This file is part of iTop.
 *
@@ -16,8 +16,6 @@
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
- *
- *
 */

 namespace Combodo\iTop\Portal\Controller;
@@ -176,7 +174,7 @@ class UserProfileBrickController extends BrickController
 		{
 			// - Creating renderer
 			$oFormRenderer = new BsFormRenderer();
-			$oFormRenderer->SetEndpoint($_SERVER['REQUEST_URI']);
+			$oFormRenderer->SetEndpoint($oUrlGenerator->generate('p_user_profile_brick'));
 			// - Creating manager
 			$oFormManager = new PreferencesFormManager();
 			$oFormManager->SetRenderer($oFormRenderer)
@@ -248,6 +246,8 @@ class UserProfileBrickController extends BrickController
 	{
 		/** @var \Combodo\iTop\Portal\Helper\RequestManipulatorHelper $oRequestManipulator */
 		$oRequestManipulator = $this->get('request_manipulator');
+		/** @var \Combodo\iTop\Portal\Routing\UrlGenerator $oUrlGenerator */
+		$oUrlGenerator = $this->get('url_generator');

 		$aFormData = array();

@@ -259,7 +259,7 @@ class UserProfileBrickController extends BrickController
 		{
 			// - Creating renderer
 			$oFormRenderer = new BsFormRenderer();
-			$oFormRenderer->SetEndpoint($_SERVER['REQUEST_URI']);
+			$oFormRenderer->SetEndpoint($oUrlGenerator->generate('p_user_profile_brick'));
 			// - Creating manager
 			$oFormManager = new PasswordFormManager();
 			$oFormManager->SetRenderer($oFormRenderer)
--- a/datamodels/2.x/itop-portal-base/portal/src/Helper/ObjectFormHandlerHelper.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Helper/ObjectFormHandlerHelper.php
@@ -1,7 +1,7 @@
 <?php

 /**
- * Copyright (C) 2013-2019 Combodo SARL
+ * Copyright (C) 2013-2020 Combodo SARL
 *
 * This file is part of iTop.
 *
@@ -240,6 +240,7 @@ class ObjectFormHandlerHelper
 			}
 			else
 			{
+				// Fallback to current URL for other use cases
 				$sFormEndpoint = $_SERVER['REQUEST_URI'];
 			}
 			$oFormRenderer = new BsFormRenderer();