diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2014-09-29 17:07:43 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2014-09-29 17:07:43 +0200 |
| commit | 6e7365fc1725fdb6868398ebb821aa44a09fb903 (patch) | |
| tree | 0e1fa69ce3e73941c7580885e1c08ec24e5378df /lib/private/util.php | |
| parent | 6b45cb5416ddd8d06de628b984cc773567770565 (diff) | |
| download | nextcloud-server-6e7365fc1725fdb6868398ebb821aa44a09fb903.tar.gz nextcloud-server-6e7365fc1725fdb6868398ebb821aa44a09fb903.zip | |
Redirect only to absolute URL
We do not want to redirect to other domains using the "?redirect_url=" feature. Please notice, that the ownCloud project does not consider open redirectors as security issue.
Diffstat (limited to 'lib/private/util.php')
| -rwxr-xr-x | lib/private/util.php | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/private/util.php b/lib/private/util.php index 46a61716333..4476b857e4d 100755 --- a/lib/private/util.php +++ b/lib/private/util.php @@ -847,8 +847,10 @@ class OC_Util { */ public static function getDefaultPageUrl() { $urlGenerator = \OC::$server->getURLGenerator(); - if (isset($_REQUEST['redirect_url'])) { - $location = urldecode($_REQUEST['redirect_url']); + // Deny the redirect if the URL contains a @ + // This prevents unvalidated redirects like ?redirect_url=:user@domain.com + if (isset($_REQUEST['redirect_url']) && strpos($_REQUEST['redirect_url'], '@') === false) { + $location = $urlGenerator->getAbsoluteURL(urldecode($_REQUEST['redirect_url'])); } else { $defaultPage = OC_Appconfig::getValue('core', 'defaultpage'); if ($defaultPage) { |