Prevent login redirection to foreign domain

kimden · Jun 13, 2014 · 9131882 · 9131882
1 parent 59f273c
commit 9131882
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 19 deletions.
diff --git a/image.php b/image.php
@@ -1,21 +1,24 @@
 <?php
-/* copyright 2009 Lucas Baudin <[email protected]>                 
-
- This file is part of stkaddons.
-
- stkaddons is free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or (at your
- option) any later version.
-
- stkaddons is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
- more details.
-
- You should have received a copy of the GNU General Public License along with
- stkaddons.  If not, see <http://www.gnu.org/licenses/>.   */
+/**
+ * copyright 2009 Lucas Baudin <[email protected]>
+ *           2014 Daniel Butum <danibutum at gmail dot com>
+ * This file is part of stkaddons
+ *
+ * stkaddons is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * stkaddons is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with stkaddons.  If not, see <http://www.gnu.org/licenses/>.
+ */
 
 require_once(__DIR__ . DIRECTORY_SEPARATOR . "config.php");
+
 $type = (isset($_GET['type'])) ? $_GET['type'] : null;
 Util::resizeImage($_GET['pic'], $type);
diff --git a/login.php b/login.php
@@ -27,7 +27,7 @@
 $_GET['action'] = (isset($_GET['action'])) ? $_GET['action'] : null;
 
 // set default
-$return_to_url = "index.php";
+$return_to_url = $safe_url = SITE_ROOT . "index.php";
 if (isset($_POST["return_to"]))
 {
     $return_to_url = $_POST["return_to"];
@@ -38,7 +38,15 @@
     $return_to_url = urldecode($_GET["return_to"]);
 }
 
+// prevent foreign domain
+if(!Util::str_starts_with($return_to_url, SITE_ROOT))
+{
+    // silently fall back to safe url
+    $return_to_url = $safe_url;
+}
+
 $tpl = new StkTemplate('login.tpl');
+
 // Prepare forms
 $login_form = array(
     'display'   => true,
@@ -65,11 +73,11 @@
         }
         else
         {
-            $tpl->setMetaRefresh("index.php", 3);
+            $tpl->setMetaRefresh($safe_url, 3);
             $conf = _h('You have been logged out.') . '<br />';
             $conf .= sprintf(
                     _h('Click %shere%s if you do not automatically redirect.'),
-                    '<a href="index.php">',
+                    "<a href=\"{$safe_url}\">",
                     '</a>'
                 ) . '<br />';
             $tpl->assign('confirmation', $conf);