From 0d07fae36a6bf45be91da03e7fc33188c897bd5a Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 26 Apr 2020 15:15:40 +0200
Subject: [PATCH] authgui.inc: don't allow login redirects to visit external
 pages. closes https://github.com/opnsense/core/issues/4061

---
 src/etc/inc/authgui.inc | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc
index f6b58d742..eb4eef0f7 100644
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@@ -114,7 +114,15 @@ function session_auth(&$Login_Error)
                 log_error(sprintf("Successful login for user '%s' from: %s", $_POST['usernamefld'], $_SERVER['REMOTE_ADDR']));
             }
             if (!empty($_GET['url'])) {
-                header(url_safe("Location: {$_GET['url']}"));
+                $tmp_url_parts = parse_url($_GET['url']);
+                if (!empty($tmp_url_parts['host'])) {
+                    $redir_uri = $tmp_url_parts['path'];
+                    $redir_uri .= !empty($tmp_url_parts['query']) ? "?" . $tmp_url_parts['query'] : "";
+                    $redir_uri .= !empty($tmp_url_parts['fragment']) ? "#" . $tmp_url_parts['fragment'] : "";
+                } else {
+                    $redir_uri = $_GET['url'];
+                }
+                header(url_safe("Location: {$redir_uri}"));
             } elseif (!empty($_SESSION['user_shouldChangePassword'])) {
                 header("Location: system_usermanager_passwordmg.php");
             } else {