login: switch to absolute redirect urls

classes/handler/public.php

@@ -623,7 +623,7 @@ class Handler_Public extends Handler {
 
 		} else {
 
-			$return = urlencode($_SERVER["REQUEST_URI"])
+			$return = urlencode(make_self_url());
 
 			?>
 
@@ -712,7 +712,9 @@ class Handler_Public extends Handler {
 				user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
 			}
 
-			if (clean($_REQUEST['return'])) {
+			$return = clean($_REQUEST['return']);
+
+			if ($_REQUEST['return'] && mb_strpos($return, SELF_URL_PATH) === 0) {
 				header("Location: " . clean($_REQUEST['return']));
 			} else {
 				header("Location: " . get_self_url_prefix());

include/login_form.php

@@ -61,7 +61,7 @@ function bwLimitChange(elem) {
 }
 </script>
 
-<?php $return = urlencode($_SERVER["REQUEST_URI"]) ?>
+<?php $return = urlencode(make_self_url()) ?>
 
 <div class="container">
 

include/sanity_check.php

@@ -14,6 +14,12 @@
 	 * If you come crying when stuff inevitably breaks, you will be mocked and told
 	 * to get out. */
 
+	function make_self_url() {
+		$proto = is_server_https() ? 'https' : 'http';
+
+		return $proto . '://' . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
+	}
+
 	function make_self_url_path() {
 		$proto = is_server_https() ? 'https' : 'http';
 		$url_path = $proto . '://' . $_SERVER["HTTP_HOST"] . parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH);