Redirect only to absolute URL

We do not want to redirect to other domains using the "?redirect_url=" feature. Please notice, that the ownCloud project does not consider open redirectors as security issue.

diff --git a/lib/private/util.php b/lib/private/util.php
index 46a6171633372bc9bc519015c1a9abee53f92701..4476b857e4dd981425b6f659298c55514e58d898 100755 (executable)
--- a/lib/private/util.php
+++ b/lib/private/util.php
@@ -847,8 +847,10 @@ class OC_Util {
         */
        public static function getDefaultPageUrl() {
                $urlGenerator = \OC::$server->getURLGenerator();
-               if (isset($_REQUEST['redirect_url'])) {
-                       $location = urldecode($_REQUEST['redirect_url']);
+               // Deny the redirect if the URL contains a @
+               // This prevents unvalidated redirects like ?redirect_url=:user@domain.com
+               if (isset($_REQUEST['redirect_url']) && strpos($_REQUEST['redirect_url'], '@') === false) {
+                       $location = $urlGenerator->getAbsoluteURL(urldecode($_REQUEST['redirect_url']));
                } else {
                        $defaultPage = OC_Appconfig::getValue('core', 'defaultpage');
                        if ($defaultPage) {