Check permissions before redirecting to the canonical URL

Redirecting to the Canonical URL can lead to information disclosure, for example, if the URL contains the title of the object. Therefore, it is important to check the permissions before redirecting.

diff --git a/wcfsetup/install/files/lib/page/AbstractPage.class.php b/wcfsetup/install/files/lib/page/AbstractPage.class.php
index 51c738a2408771011253c23a41f29eda73d55bdb..a54f8724eac37fecc235c8cba9516bd12e773bf0 100644 (file)
--- a/wcfsetup/install/files/lib/page/AbstractPage.class.php
+++ b/wcfsetup/install/files/lib/page/AbstractPage.class.php
@@ -263,6 +263,10 @@ abstract class AbstractPage implements IPage
             throw new PermissionDeniedException();
         }
 
+        $this->checkModules();
+
+        $this->checkPermissions();
+
         // check if current request URL matches the canonical URL
         if ($this->canonicalURL && (empty($_POST) || $this->forceCanonicalURL)) {
             $canonicalURL = Url::parse(\preg_replace('~[?&]s=[a-f0-9]{40}~', '', $this->canonicalURL));
@@ -345,10 +349,6 @@ abstract class AbstractPage implements IPage
 
         $this->setActiveMenuItem();
 
-        $this->checkModules();
-
-        $this->checkPermissions();
-
         $this->maybeSetPsr7Response(
             $this->readData()
         );