From acf28ca4aa8568fdec741dbb151c0590435cc03b Mon Sep 17 00:00:00 2001
From: Molkobain <lajarige.guillaume@free.fr>
Date: Tue, 7 Jan 2020 13:53:10 +0100
Subject: [PATCH] =?UTF-8?q?N=C2=B02306=20-=20Security=20hardening?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../src/Controller/UserProfileBrickController.php      | 10 +++++-----
 .../portal/src/Helper/ObjectFormHandlerHelper.php      |  3 ++-
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/datamodels/2.x/itop-portal-base/portal/src/Controller/UserProfileBrickController.php b/datamodels/2.x/itop-portal-base/portal/src/Controller/UserProfileBrickController.php
index f88dc17aa..2cc60346e 100644
--- a/datamodels/2.x/itop-portal-base/portal/src/Controller/UserProfileBrickController.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Controller/UserProfileBrickController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- * Copyright (C) 2013-2019 Combodo SARL
+ * Copyright (C) 2013-2020 Combodo SARL
  *
  * This file is part of iTop.
  *
@@ -16,8 +16,6 @@
  * GNU Affero General Public License for more details.
  *
  * You should have received a copy of the GNU Affero General Public License
- *
- *
  */
 
 namespace Combodo\iTop\Portal\Controller;
@@ -176,7 +174,7 @@ class UserProfileBrickController extends BrickController
 		{
 			// - Creating renderer
 			$oFormRenderer = new BsFormRenderer();
-			$oFormRenderer->SetEndpoint($_SERVER['REQUEST_URI']);
+			$oFormRenderer->SetEndpoint($oUrlGenerator->generate('p_user_profile_brick'));
 			// - Creating manager
 			$oFormManager = new PreferencesFormManager();
 			$oFormManager->SetRenderer($oFormRenderer)
@@ -248,6 +246,8 @@ class UserProfileBrickController extends BrickController
 	{
 		/** @var \Combodo\iTop\Portal\Helper\RequestManipulatorHelper $oRequestManipulator */
 		$oRequestManipulator = $this->get('request_manipulator');
+		/** @var \Combodo\iTop\Portal\Routing\UrlGenerator $oUrlGenerator */
+		$oUrlGenerator = $this->get('url_generator');
 
 		$aFormData = array();
 
@@ -259,7 +259,7 @@ class UserProfileBrickController extends BrickController
 		{
 			// - Creating renderer
 			$oFormRenderer = new BsFormRenderer();
-			$oFormRenderer->SetEndpoint($_SERVER['REQUEST_URI']);
+			$oFormRenderer->SetEndpoint($oUrlGenerator->generate('p_user_profile_brick'));
 			// - Creating manager
 			$oFormManager = new PasswordFormManager();
 			$oFormManager->SetRenderer($oFormRenderer)
diff --git a/datamodels/2.x/itop-portal-base/portal/src/Helper/ObjectFormHandlerHelper.php b/datamodels/2.x/itop-portal-base/portal/src/Helper/ObjectFormHandlerHelper.php
index 36aa6ee41..4050979ba 100644
--- a/datamodels/2.x/itop-portal-base/portal/src/Helper/ObjectFormHandlerHelper.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Helper/ObjectFormHandlerHelper.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- * Copyright (C) 2013-2019 Combodo SARL
+ * Copyright (C) 2013-2020 Combodo SARL
  *
  * This file is part of iTop.
  *
@@ -240,6 +240,7 @@ class ObjectFormHandlerHelper
 			}
 			else
 			{
+				// Fallback to current URL for other use cases
 				$sFormEndpoint = $_SERVER['REQUEST_URI'];
 			}
 			$oFormRenderer = new BsFormRenderer();