diff options
author | ArthurHoaro <arthur@hoa.ro> | 2020-09-22 15:17:13 +0200 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2020-09-22 15:37:26 +0200 |
commit | abe033be855f76fde9e8576ce36460fbb23b1e57 (patch) | |
tree | eefc804a0cb8c0497a03c954667fd3e75598d0aa /application/front | |
parent | 5baafe5001ef2fbe88d3fcdcc225ec12edd3fef1 (diff) | |
download | Shaarli-abe033be855f76fde9e8576ce36460fbb23b1e57.tar.gz Shaarli-abe033be855f76fde9e8576ce36460fbb23b1e57.tar.zst Shaarli-abe033be855f76fde9e8576ce36460fbb23b1e57.zip |
Fix invalid redirection using the path of an external domain
Fixes #1554
Diffstat (limited to 'application/front')
-rw-r--r-- | application/front/controller/visitor/ShaarliVisitorController.php | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/application/front/controller/visitor/ShaarliVisitorController.php b/application/front/controller/visitor/ShaarliVisitorController.php index cd27455b..55c075a2 100644 --- a/application/front/controller/visitor/ShaarliVisitorController.php +++ b/application/front/controller/visitor/ShaarliVisitorController.php | |||
@@ -142,6 +142,13 @@ abstract class ShaarliVisitorController | |||
142 | 142 | ||
143 | if (null !== $referer) { | 143 | if (null !== $referer) { |
144 | $currentUrl = parse_url($referer); | 144 | $currentUrl = parse_url($referer); |
145 | // If the referer is not related to Shaarli instance, redirect to default | ||
146 | if (isset($currentUrl['host']) | ||
147 | && strpos(index_url($this->container->environment), $currentUrl['host']) === false | ||
148 | ) { | ||
149 | return $response->withRedirect($defaultPath); | ||
150 | } | ||
151 | |||
145 | parse_str($currentUrl['query'] ?? '', $params); | 152 | parse_str($currentUrl['query'] ?? '', $params); |
146 | $path = $currentUrl['path'] ?? $defaultPath; | 153 | $path = $currentUrl['path'] ?? $defaultPath; |
147 | } else { | 154 | } else { |