Don't allow redirect to external website

2025-10-17 19:23:27 +02:00 · 2024-04-08 19:05:42 +02:00
parent 7181b988e9
commit ef62b53cec
2 changed files with 7 additions and 6 deletions
--- a/system/pages/accountmanagement.php
+++ b/system/pages/accountmanagement.php
@@ -52,9 +52,16 @@ $errors = array();
 	{
 		$redirect = urldecode($_REQUEST['redirect']);

+		// should never happen, unless hacker modify the URL
+		if (strpos($_REQUEST['redirect'], BASE_URL) === false) {
+			error('Fatal error: Cannot redirect outside the website.');
+			return;
+		}
+
 		$twig->display('account.redirect.html.twig', array(
 			'redirect' => $redirect
 		));
+
 		return;
 	}