lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-17 01:54:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

login - use parse_url to validate if the provided redirect string is actually parseable to prevent redirect. looks like https://github.com/opnsense/core/issues/4061 was incomplete

Browse Source
This commit is contained in:
Ad Schellevis 2023-07-03 09:56:45 +02:00
parent 5d68f43d1f
commit 3c2f32ec8d
1 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/etc/inc/authgui.inc
View File

@ -187,14 +187,12 @@ function session_auth()
}
if (!empty($_GET['url'])) {
$tmp_url_parts = parse_url($_GET['url']);
if (!empty($tmp_url_parts['host'])) {
if ($tmp_url_parts !== false) {
$redir_uri = $tmp_url_parts['path'];
$redir_uri .= !empty($tmp_url_parts['query']) ? "?" . $tmp_url_parts['query'] : "";
$redir_uri .= !empty($tmp_url_parts['fragment']) ? "#" . $tmp_url_parts['fragment'] : "";
} else {
$redir_uri = $_GET['url'];
header(url_safe("Location: {$redir_uri}"));
}
header(url_safe("Location: {$redir_uri}"));
} elseif (!empty($_SESSION['user_shouldChangePassword'])) {
header("Location: system_usermanager_passwordmg.php");
} else {