mysite.io/admin/default/jsonadm Option route aborted

waqas.mehmood · Post by **waqas.mehmood** » 15 Jul 2021, 11:48

I have setup new shop with sanctum authentication by enabling config

shop.routes.jsonadm

This authentication works fine but routes abort the request.
When I debug this route I found

Code: Select all

url()->previous()

function not working correctly. This

Code: Select all

url()->previous()

function return

Code: Select all

http://mysite.io/mysite.io

Fille: aimeos/aimeos-laravel/src/Aimeos/Shop/Controller/JsonadmController.php
Function: createAdmin()
Line No: 133
Laravel version: 8.49.2
Amios-Laravel: 2021.04.5

Following is the starting line of the function

Code: Select all

protected function createAdmin() : \Aimeos\Admin\JsonAdm\Iface
	{
		// allow requests only if they are from within the admin backend
		$cnt = count( explode( '/', request()->route()->getPrefix() ) ) - 1;
		$base = request()->root() . '/' . join( '/', array_slice( request()->segments(), 0, $cnt ) );
//		dd(url()->previous(), $base, strlen( $base ));
		if( strncmp( url()->previous(), $base, strlen( $base ) ) ) {
		//[b]This abort triggered[/b] due to [b]url()->previous()[/b] function 
			abort( 403 );
		}

I am trying this call on postman.

Can anyone please guide me where I am making mistake?

Thanks

Post by **aimeos** » 17 Jul 2021, 06:55

This check was introduced to avoid XSS vulnerabilities that affect the backend when browsing the frontend. But I think they are pretty useless because they can be circumvented easily. Thus, I've removed them again.

You can get the latest version using:

Code: Select all

composer req aimeos/aimeos-laravel:2021.07.x-dev

Help for Aimeos