login - use parse_url to validate if the provided redirect string is actually parseable to prevent redirect. looks like https://github.com/opnsense/core/issues/4061 was incomplete

(bugfix 3c2f32ec8d)
2026-03-13 08:09:41 +00:00 · 2023-07-04 20:52:13 +02:00 · 2023-07-04 20:52:13 +02:00 · 6bc025af17
commit 6bc025af17
parent e60e4cd9c2
1 changed files with 6 additions and 1 deletions
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@ -188,7 +188,12 @@ function session_auth()
            if (!empty($_GET['url'])) {
                $tmp_url_parts = parse_url($_GET['url']);
                if ($tmp_url_parts !== false) {
-                    $redir_uri = $tmp_url_parts['path'];
+                    $redir_uri = sprintf(
+                        '%s://%s/%s',
+                        isset($_SERVER['HTTPS']) ? 'https' : 'http',
+                        $_SERVER['HTTP_HOST'],
+                        ltrim($tmp_url_parts['path'], '/')
+                    );
                    $redir_uri .= !empty($tmp_url_parts['query']) ? "?" . $tmp_url_parts['query'] : "";
                    $redir_uri .= !empty($tmp_url_parts['fragment']) ? "#" . $tmp_url_parts['fragment'] : "";
                    header(url_safe("Location: {$redir_uri}"));