Merge pull request #1560 from ArthurHoaro/fix/redirect-wrong-path

Fix invalid redirection using the path of an external domain
author: ArthurHoaro <arthur@hoa.ro> 2020-09-25 10:59:51 +0200
committer: GitHub <noreply@github.com> 2020-09-25 10:59:51 +0200
commit: 585fc700fa711170df711990f51f226ecd831ef7 (patch)
tree: f98ac03d106b67b17d9bbc3803e76fb9f8b7297f /application
parent: 85b972baf67c61ebabf1ce332358e4dfd2456a4e (diff)
parent: abe033be855f76fde9e8576ce36460fbb23b1e57 (diff)
download: Shaarli-585fc700fa711170df711990f51f226ecd831ef7.tar.gz
Shaarli-585fc700fa711170df711990f51f226ecd831ef7.tar.zst
Shaarli-585fc700fa711170df711990f51f226ecd831ef7.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/application/front/controller/visitor/ShaarliVisitorController.php b/application/front/controller/visitor/ShaarliVisitorController.php
index cd27455b..55c075a2 100644
--- a/application/front/controller/visitor/ShaarliVisitorController.php
+++ b/application/front/controller/visitor/ShaarliVisitorController.php
@@ -142,6 +142,13 @@ abstract class ShaarliVisitorController
        if (null !== $referer) {
            $currentUrl = parse_url($referer);
+            // If the referer is not related to Shaarli instance, redirect to default
+            if (isset($currentUrl['host'])
+                && strpos(index_url($this->container->environment), $currentUrl['host']) === false
+            ) {
+                return $response->withRedirect($defaultPath);
+            }
            parse_str($currentUrl['query'] ?? '', $params);
            $path = $currentUrl['path'] ?? $defaultPath;
        } else {
author	ArthurHoaro <arthur@hoa.ro>	2020-09-25 10:59:51 +0200
committer	GitHub <noreply@github.com>	2020-09-25 10:59:51 +0200
commit	585fc700fa711170df711990f51f226ecd831ef7 (patch)
tree	f98ac03d106b67b17d9bbc3803e76fb9f8b7297f /application
parent	85b972baf67c61ebabf1ce332358e4dfd2456a4e (diff)
parent	abe033be855f76fde9e8576ce36460fbb23b1e57 (diff)
download	Shaarli-585fc700fa711170df711990f51f226ecd831ef7.tar.gz Shaarli-585fc700fa711170df711990f51f226ecd831ef7.tar.zst Shaarli-585fc700fa711170df711990f51f226ecd831ef7.zip

diff --git a/application/front/controller/visitor/ShaarliVisitorController.php b/application/front/controller/visitor/ShaarliVisitorController.php index cd27455b..55c075a2 100644 --- a/application/front/controller/visitor/ShaarliVisitorController.php +++ b/application/front/controller/visitor/ShaarliVisitorController.php
@@ -142,6 +142,13 @@ abstract class ShaarliVisitorController
142		142
143	if (null !== $referer) {	143	if (null !== $referer) {
144	$currentUrl = parse_url($referer);	144	$currentUrl = parse_url($referer);
		145	// If the referer is not related to Shaarli instance, redirect to default
		146	if (isset($currentUrl['host'])
		147	&& strpos(index_url($this->container->environment), $currentUrl['host']) === false
		148	) {
		149	return $response->withRedirect($defaultPath);
		150	}
		151
145	parse_str($currentUrl['query'] ?? '', $params);	152	parse_str($currentUrl['query'] ?? '', $params);
146	$path = $currentUrl['path'] ?? $defaultPath;	153	$path = $currentUrl['path'] ?? $defaultPath;
147	} else {	154	} else {