Don't allow redirect to external website

2025-04-26 01:09:21 +02:00 · 2024-04-08 19:08:21 +02:00 · 2024-04-08 19:08:21 +02:00 · c92a410209
commit c92a410209
parent 1186f94e21
2 changed files with 6 additions and 6 deletions
--- a/system/logout.php
+++ b/system/logout.php
@ -22,11 +22,5 @@ if(isset($account_logged) && $account_logged->isLoaded()) {

 		$logged = false;
 		unset($account_logged);
-
-		if(isset($_REQUEST['redirect']))
-		{
-			header('Location: ' . urldecode($_REQUEST['redirect']));
-			exit;
-		}
 	}
 }
--- a/system/pages/account/redirect.php
+++ b/system/pages/account/redirect.php
@ -12,6 +12,12 @@ defined('MYAAC') or die('Direct access not allowed!');

 $redirect = urldecode($_REQUEST['redirect']);

+// should never happen, unless hacker modify the URL
+if (!str_contains($_REQUEST['redirect'], BASE_URL)) {
+	error('Fatal error: Cannot redirect outside the website.');
+	return;
+}
+
 $twig->display('account.redirect.html.twig', array(
 	'redirect' => $redirect
 ));