From 5b3a73e574b5377300c86d8d9765b9c57df1ddd6 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Mon, 4 Mar 2019 20:38:39 +0300 Subject: [PATCH] login: switch to absolute redirect urls --- classes/handler/public.php | 6 ++++-- include/login_form.php | 2 +- include/sanity_check.php | 6 ++++++ 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/classes/handler/public.php b/classes/handler/public.php index c3f18d8bb..a8369f440 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -623,7 +623,7 @@ class Handler_Public extends Handler { } else { - $return = urlencode($_SERVER["REQUEST_URI"]) + $return = urlencode(make_self_url()); ?> @@ -712,7 +712,9 @@ class Handler_Public extends Handler { user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING); } - if (clean($_REQUEST['return'])) { + $return = clean($_REQUEST['return']); + + if ($_REQUEST['return'] && mb_strpos($return, SELF_URL_PATH) === 0) { header("Location: " . clean($_REQUEST['return'])); } else { header("Location: " . get_self_url_prefix()); diff --git a/include/login_form.php b/include/login_form.php index 069a1fb6b..6c6aaf8cf 100755 --- a/include/login_form.php +++ b/include/login_form.php @@ -61,7 +61,7 @@ function bwLimitChange(elem) { } - +
diff --git a/include/sanity_check.php b/include/sanity_check.php index 3612b4e56..654c83e38 100755 --- a/include/sanity_check.php +++ b/include/sanity_check.php @@ -14,6 +14,12 @@ * If you come crying when stuff inevitably breaks, you will be mocked and told * to get out. */ + function make_self_url() { + $proto = is_server_https() ? 'https' : 'http'; + + return $proto . '://' . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]; + } + function make_self_url_path() { $proto = is_server_https() ? 'https' : 'http'; $url_path = $proto . '://' . $_SERVER["HTTP_HOST"] . parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH);