diff options
| author | Michiel de Jong <michiel@unhosted.org> | 2012-05-18 15:32:41 +0200 |
|---|---|---|
| committer | Michiel de Jong <michiel@unhosted.org> | 2012-05-18 15:32:41 +0200 |
| commit | 1a874b4c56af0ef4ef20c37a2b5d348551759ff9 (patch) | |
| tree | a008374246830f209dda93dd0d1133c11fff08d2 | |
| parent | 9b5e8a2c634e07d9c6e1693158e224eda7e5f673 (diff) | |
| download | nextcloud-server-1a874b4c56af0ef4ef20c37a2b5d348551759ff9.tar.gz nextcloud-server-1a874b4c56af0ef4ef20c37a2b5d348551759ff9.zip | |
make redirect safe by restricting it to current host
| -rw-r--r-- | index.php | 2 | ||||
| -rw-r--r-- | lib/util.php | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/index.php b/index.php index 8eea0fe454f..94b9def0b41 100644 --- a/index.php +++ b/index.php @@ -117,6 +117,6 @@ elseif(OC_User::isLoggedIn()) { if(!array_key_exists('sectoken', $_SESSION) || (array_key_exists('sectoken', $_SESSION) && is_null(OC::$REQUESTEDFILE)) || substr(OC::$REQUESTEDFILE, -3) == 'php'){ $sectoken=rand(1000000,9999999); $_SESSION['sectoken']=$sectoken; - OC_Template::printGuestPage('', 'login', array('error' => $error, 'sectoken' => $sectoken, 'redirect' => $_SERVER['REQUEST_URI'])); + OC_Template::printGuestPage('', 'login', array('error' => $error, 'sectoken' => $sectoken, 'redirect' => substr($_SERVER['REQUEST_URI'], 1))); } } diff --git a/lib/util.php b/lib/util.php index 0e4f3689e79..d2dd28b7da8 100644 --- a/lib/util.php +++ b/lib/util.php @@ -312,7 +312,7 @@ class OC_Util { */ public static function redirectToDefaultPage(){ if(isset($_REQUEST['redirect_url'])) { - header( 'Location: '.$_REQUEST['redirect_url']); + header( 'Location: /'.$_REQUEST['redirect_url']); } else { header( 'Location: '.OC::$WEBROOT.'/'.OC_Appconfig::getValue('core', 'defaultpage', '?app=files')); } |