From 6bc025af1705dcdd8ef22ff5d4fcb986fa4e45f8 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 4 Jul 2023 20:52:13 +0200
Subject: [PATCH] login - use parse_url to validate if the provided redirect
 string is actually parseable to prevent redirect. looks like
 https://github.com/opnsense/core/issues/4061 was incomplete

(bugfix https://github.com/opnsense/core/commit/3c2f32ec8dd1fb0da72e677b40163527fdaec7da)
---
 src/etc/inc/authgui.inc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc
index e3a422be3..492499ba1 100644
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@@ -188,7 +188,12 @@ function session_auth()
             if (!empty($_GET['url'])) {
                 $tmp_url_parts = parse_url($_GET['url']);
                 if ($tmp_url_parts !== false) {
-                    $redir_uri = $tmp_url_parts['path'];
+                    $redir_uri = sprintf(
+                        '%s://%s/%s',
+                        isset($_SERVER['HTTPS']) ? 'https' : 'http',
+                        $_SERVER['HTTP_HOST'],
+                        ltrim($tmp_url_parts['path'], '/')
+                    );
                     $redir_uri .= !empty($tmp_url_parts['query']) ? "?" . $tmp_url_parts['query'] : "";
                     $redir_uri .= !empty($tmp_url_parts['fragment']) ? "#" . $tmp_url_parts['fragment'] : "";
                     header(url_safe("Location: {$redir_uri}"));