lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-16 01:24:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

authgui.inc: don't allow login redirects to visit external pages. closes https://github.com/opnsense/core/issues/4061

Browse Source
This commit is contained in:
Ad Schellevis 2020-04-26 15:15:40 +02:00
parent 4bac359e09
commit 0d07fae36a
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/etc/inc/authgui.inc
View File

@ -114,7 +114,15 @@ function session_auth(&$Login_Error)
log_error(sprintf("Successful login for user '%s' from: %s", $_POST['usernamefld'], $_SERVER['REMOTE_ADDR']));
}
if (!empty($_GET['url'])) {
header(url_safe("Location: {$_GET['url']}"));
$tmp_url_parts = parse_url($_GET['url']);
if (!empty($tmp_url_parts['host'])) {
$redir_uri = $tmp_url_parts['path'];
$redir_uri .= !empty($tmp_url_parts['query']) ? "?" . $tmp_url_parts['query'] : "";
$redir_uri .= !empty($tmp_url_parts['fragment']) ? "#" . $tmp_url_parts['fragment'] : "";
} else {
$redir_uri = $_GET['url'];
}
header(url_safe("Location: {$redir_uri}"));
} elseif (!empty($_SESSION['user_shouldChangePassword'])) {
header("Location: system_usermanager_passwordmg.php");
} else {