From 143a9b340fc88261eea89bea044bf4c98d62d1f0 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Tue, 11 Oct 2016 08:30:13 +0200 Subject: [PATCH] inc: url_safe() for #1168 This doesn't do anything in particular, because we don't know what the input is without parsing it further. It's not worse than before in any case. ;) --- src/etc/inc/authgui.inc | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc index 13967ee2e..986bc60df 100644 --- a/src/etc/inc/authgui.inc +++ b/src/etc/inc/authgui.inc @@ -216,7 +216,7 @@ function session_auth(&$Login_Error) if (!isset($config['system']['webgui']['quietlogin'])) { log_error(sprintf("Successful login for user '%s' from: %s", $_POST['usernamefld'], $_SERVER['REMOTE_ADDR'])); } - header("Location: {$_SERVER['REQUEST_URI']}"); + header(url_safe("Location: {$_SERVER['REQUEST_URI']}")); exit; } else { /* give the user an error message */ @@ -275,7 +275,7 @@ function session_auth(&$Login_Error) $scriptName = $scriptName[$scriptElms-1]; /* redirect to page the user is on, it'll prompt them to login again */ - header("Location: {$scriptName}"); + header(url_safe("Location: {$scriptName}")); exit; } @@ -306,8 +306,7 @@ if (!isAllowedPage($_SERVER['REQUEST_URI'])) { $username .= '@' . $_SERVER['REMOTE_ADDR']; } log_error("{$username} attempted to access {$_SERVER['REQUEST_URI']} but does not have access to that page. Redirecting to {$page}."); - - header("Location: /{$page}"); + header(url_safe("Location: /{$page}")); exit; } else { display_error_form("201", gettext("No page assigned to this user! Click here to logout.")); @@ -315,7 +314,6 @@ if (!isAllowedPage($_SERVER['REQUEST_URI'])) { } } - /* * determine if the user is allowed access to the requested page */