BUG Fix malformed urls redirecting to external sites

control/Controller.php

@@ -509,6 +509,7 @@ class Controller extends RequestHandler implements TemplateGlobalProvider {
 
 		// absolute redirection URLs not located on this site may cause phishing
 		if(Director::is_site_url($url)) {
+			$url = Director::absoluteURL($url);
 			return $this->redirect($url);
 		} else {
 			return false;

forms/Form.php

@@ -432,6 +432,7 @@ class Form extends RequestHandler {
 						if(Director::is_site_url($pageURL)) {
 							// Remove existing pragmas
 							$pageURL = preg_replace('/(#.*)/', '', $pageURL);
+							$pageURL = Director::absoluteURL($pageURL);
 							return $this->controller->redirect($pageURL . '#' . $this->FormName());
 						}
 					}

security/ChangePasswordForm.php

@@ -108,12 +108,12 @@ class ChangePasswordForm extends Form {
 				$member->FailedLoginCount = null;
 				$member->write();
 				
-				if (isset($_REQUEST['BackURL']) 
-					&& $_REQUEST['BackURL'] 
+				if (!empty($_REQUEST['BackURL'])
 					// absolute redirection URLs may cause spoofing 
 					&& Director::is_site_url($_REQUEST['BackURL'])
 				) {
-					return $this->controller->redirect($_REQUEST['BackURL']);
+					$url = Director::absoluteURL($_REQUEST['BackURL']);
+					return $this->controller->redirect($url);
 				}
 				else {
 					// Redirect to default location - the login form saying "You are logged in as..."

security/MemberLoginForm.php

@@ -190,7 +190,7 @@ JS;
 	 * )
 	 *
 	 * @param array $data
-	 * @return void
+	 * @return SS_HTTPResponse
 	 */
 	protected function logInUserAndRedirect($data) {
 		Session::clear('SessionForms.MemberLoginForm.Email');
@@ -209,18 +209,21 @@ JS;
 		}
 
 		// Absolute redirection URLs may cause spoofing
-		if(isset($_REQUEST['BackURL']) && $_REQUEST['BackURL'] && Director::is_site_url($_REQUEST['BackURL']) ) {
-			return $this->controller->redirect($_REQUEST['BackURL']);
-		}
-
-		// Spoofing attack, redirect to homepage instead of spoofing url
-		if(isset($_REQUEST['BackURL']) && $_REQUEST['BackURL'] && !Director::is_site_url($_REQUEST['BackURL'])) {
-			return $this->controller->redirect(Director::absoluteBaseURL());
+		if(!empty($_REQUEST['BackURL'])) {
+			$url = $_REQUEST['BackURL'];
+			if(Director::is_site_url($url) ) {
+				$url = Director::absoluteURL($url);
+			} else {
+				// Spoofing attack, redirect to homepage instead of spoofing url
+				$url = Director::absoluteBaseURL();
+			}
+			return $this->controller->redirect($url);
 		}
 
 		// If a default login dest has been set, redirect to that.
-		if (Security::config()->default_login_dest) {
-			return $this->controller->redirect(Director::absoluteBaseURL() . Security::config()->default_login_dest);
+		if ($url = Security::config()->default_login_dest) {
+			$url = Controller::join_links(Director::absoluteBaseURL(), $url);
+			return $this->controller->redirect($url);
 		}
 
 		// Redirect the user to the page where they came from