Disallow URLs containing a @

diff --git a/lib/base.php b/lib/base.php
index 7b0967df9f9ac28f762e4fc70f8ce610c9057491..a32ed460907f2d371f138b6f83be543dd1bb67c7 100644 (file)
--- a/lib/base.php
+++ b/lib/base.php
@@ -631,8 +631,13 @@ class OC {
                // Handle redirect URL for logged in users
                if (isset($_REQUEST['redirect_url']) && OC_User::isLoggedIn()) {
                        $location = OC_Helper::makeURLAbsolute(urldecode($_REQUEST['redirect_url']));
-                       header('Location: ' . $location);
-                       return;
+                       
+                       // Deny the redirect if the URL contains a @
+                       // This prevents unvalidated redirects like ?redirect_url=:user@domain.com
+                       if (strpos($location, '@') === FALSE) {
+                               header('Location: ' . $location);
+                               return;
+                       }
                }
                // Handle WebDAV
                if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') {