hardening(quicktree): sanitize location parameter before header() redirects #8
Description
Summary
get_nfilter_request_var('location') returns the raw, unfiltered request value. At quicktree.php:208 and quicktree.php:336 that value is embedded directly in header('Location: ...') calls without stripping CRLF characters or URL-encoding the output. A location value containing \r\n injects arbitrary HTTP response headers. PHP 8.x throws ValueError on CRLF in header(), but PHP 7.x deployments are silently exploitable.
Details
| Field | Value |
|---|---|
| File | quicktree.php |
| Lines | 208, 336 |
| Auth required | Yes — authenticated Cacti user |
| CWE | CWE-93 |
// Before
header('Location: quicktree.php?location=' . get_nfilter_request_var('location'));
// After
header('Location: quicktree.php?location=' . rawurlencode(
str_replace(["\r", "\n"], '', (string) get_nfilter_request_var('location'))
));Fix applied at both sites in branch security/quicktree-sanitize-location-header.
Acceptance criteria
- CRLF characters stripped before
header()at both sites - Value URL-encoded before embedding in Location header
- Regression test in
tests/Security/QuicktreeXssTest.php