From c92a410209e303838ce753f8cf80a9e35083ab78 Mon Sep 17 00:00:00 2001
From: slawkens <slawkens@gmail.com>
Date: Mon, 8 Apr 2024 19:08:21 +0200
Subject: [PATCH] Don't allow redirect to external website

---
 system/logout.php                 | 6 ------
 system/pages/account/redirect.php | 6 ++++++
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/system/logout.php b/system/logout.php
index 4f653ecb..dd72a455 100644
--- a/system/logout.php
+++ b/system/logout.php
@@ -22,11 +22,5 @@ if(isset($account_logged) && $account_logged->isLoaded()) {
 
 		$logged = false;
 		unset($account_logged);
-
-		if(isset($_REQUEST['redirect']))
-		{
-			header('Location: ' . urldecode($_REQUEST['redirect']));
-			exit;
-		}
 	}
 }
diff --git a/system/pages/account/redirect.php b/system/pages/account/redirect.php
index 8abff630..16659160 100644
--- a/system/pages/account/redirect.php
+++ b/system/pages/account/redirect.php
@@ -12,6 +12,12 @@ defined('MYAAC') or die('Direct access not allowed!');
 
 $redirect = urldecode($_REQUEST['redirect']);
 
+// should never happen, unless hacker modify the URL
+if (!str_contains($_REQUEST['redirect'], BASE_URL)) {
+	error('Fatal error: Cannot redirect outside the website.');
+	return;
+}
+
 $twig->display('account.redirect.html.twig', array(
 	'redirect' => $redirect
 ));