diff --git a/control/Controller.php b/control/Controller.php index e0416661c..32d876990 100644 --- a/control/Controller.php +++ b/control/Controller.php @@ -509,6 +509,7 @@ class Controller extends RequestHandler implements TemplateGlobalProvider { // absolute redirection URLs not located on this site may cause phishing if(Director::is_site_url($url)) { + $url = Director::absoluteURL($url); return $this->redirect($url); } else { return false; diff --git a/forms/Form.php b/forms/Form.php index 03ec19afd..c872c1d26 100644 --- a/forms/Form.php +++ b/forms/Form.php @@ -432,6 +432,7 @@ class Form extends RequestHandler { if(Director::is_site_url($pageURL)) { // Remove existing pragmas $pageURL = preg_replace('/(#.*)/', '', $pageURL); + $pageURL = Director::absoluteURL($pageURL); return $this->controller->redirect($pageURL . '#' . $this->FormName()); } } diff --git a/security/ChangePasswordForm.php b/security/ChangePasswordForm.php index 42106748f..4ed58fc5b 100644 --- a/security/ChangePasswordForm.php +++ b/security/ChangePasswordForm.php @@ -108,12 +108,12 @@ class ChangePasswordForm extends Form { $member->FailedLoginCount = null; $member->write(); - if (isset($_REQUEST['BackURL']) - && $_REQUEST['BackURL'] + if (!empty($_REQUEST['BackURL']) // absolute redirection URLs may cause spoofing && Director::is_site_url($_REQUEST['BackURL']) ) { - return $this->controller->redirect($_REQUEST['BackURL']); + $url = Director::absoluteURL($_REQUEST['BackURL']); + return $this->controller->redirect($url); } else { // Redirect to default location - the login form saying "You are logged in as..." diff --git a/security/MemberLoginForm.php b/security/MemberLoginForm.php index 7ac4d61f7..ec87dd8aa 100644 --- a/security/MemberLoginForm.php +++ b/security/MemberLoginForm.php @@ -190,7 +190,7 @@ JS; * ) * * @param array $data - * @return void + * @return SS_HTTPResponse */ protected function logInUserAndRedirect($data) { Session::clear('SessionForms.MemberLoginForm.Email'); @@ -209,18 +209,21 @@ JS; } // Absolute redirection URLs may cause spoofing - if(isset($_REQUEST['BackURL']) && $_REQUEST['BackURL'] && Director::is_site_url($_REQUEST['BackURL']) ) { - return $this->controller->redirect($_REQUEST['BackURL']); - } - - // Spoofing attack, redirect to homepage instead of spoofing url - if(isset($_REQUEST['BackURL']) && $_REQUEST['BackURL'] && !Director::is_site_url($_REQUEST['BackURL'])) { - return $this->controller->redirect(Director::absoluteBaseURL()); + if(!empty($_REQUEST['BackURL'])) { + $url = $_REQUEST['BackURL']; + if(Director::is_site_url($url) ) { + $url = Director::absoluteURL($url); + } else { + // Spoofing attack, redirect to homepage instead of spoofing url + $url = Director::absoluteBaseURL(); + } + return $this->controller->redirect($url); } // If a default login dest has been set, redirect to that. - if (Security::config()->default_login_dest) { - return $this->controller->redirect(Director::absoluteBaseURL() . Security::config()->default_login_dest); + if ($url = Security::config()->default_login_dest) { + $url = Controller::join_links(Director::absoluteBaseURL(), $url); + return $this->controller->redirect($url); } // Redirect the user to the page where they came from