make redirect safe by restricting it to current host

This commit is contained in:
Michiel de Jong 2012-05-18 15:32:41 +02:00
parent 9b5e8a2c63
commit 1a874b4c56
2 changed files with 2 additions and 2 deletions

View file

@ -117,6 +117,6 @@ elseif(OC_User::isLoggedIn()) {
if(!array_key_exists('sectoken', $_SESSION) || (array_key_exists('sectoken', $_SESSION) && is_null(OC::$REQUESTEDFILE)) || substr(OC::$REQUESTEDFILE, -3) == 'php'){
$sectoken=rand(1000000,9999999);
$_SESSION['sectoken']=$sectoken;
OC_Template::printGuestPage('', 'login', array('error' => $error, 'sectoken' => $sectoken, 'redirect' => $_SERVER['REQUEST_URI']));
OC_Template::printGuestPage('', 'login', array('error' => $error, 'sectoken' => $sectoken, 'redirect' => substr($_SERVER['REQUEST_URI'], 1)));
}
}

View file

@ -312,7 +312,7 @@ class OC_Util {
*/
public static function redirectToDefaultPage(){
if(isset($_REQUEST['redirect_url'])) {
header( 'Location: '.$_REQUEST['redirect_url']);
header( 'Location: /'.$_REQUEST['redirect_url']);
} else {
header( 'Location: '.OC::$WEBROOT.'/'.OC_Appconfig::getValue('core', 'defaultpage', '?app=files'));
}