From eb0c2a76741329cf7260ca077e5260d0828d6105 Mon Sep 17 00:00:00 2001
From: slawkens <slawkens@gmail.com>
Date: Sun, 14 Apr 2024 16:02:55 +0200
Subject: [PATCH] Post-fix redirect

---
 system/pages/account/manage.php   | 6 ++++++
 system/pages/account/redirect.php | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/system/pages/account/manage.php b/system/pages/account/manage.php
index 615ffdc7..d0a3eb75 100644
--- a/system/pages/account/manage.php
+++ b/system/pages/account/manage.php
@@ -21,6 +21,12 @@ if(!$logged) {
 if(isset($_REQUEST['redirect']))
 {
 	$redirect = urldecode($_REQUEST['redirect']);
+	
+	// should never happen, unless hacker modify the URL
+	if (!str_contains($redirect, BASE_URL)) {
+		error('Fatal error: Cannot redirect outside the website.');
+		return;
+	}
 
 	$twig->display('account.redirect.html.twig', array(
 		'redirect' => $redirect
diff --git a/system/pages/account/redirect.php b/system/pages/account/redirect.php
index 16659160..78bc54d9 100644
--- a/system/pages/account/redirect.php
+++ b/system/pages/account/redirect.php
@@ -13,7 +13,7 @@ defined('MYAAC') or die('Direct access not allowed!');
 $redirect = urldecode($_REQUEST['redirect']);
 
 // should never happen, unless hacker modify the URL
-if (!str_contains($_REQUEST['redirect'], BASE_URL)) {
+if (!str_contains($redirect, BASE_URL)) {
 	error('Fatal error: Cannot redirect outside the website.');
 	return;
 }