tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

BUGFIX Checking for Director::is_site_url() before redirecting in Controller->redirectBack() and MemberLoginForm (Merged from r73252)

Browse Source 
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.2@73276 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Sean Harvey 2009-03-18 02:46:17 +00:00 committed by Sam Minnee
parent a4e1df6f7a
commit 2ab2acc44f
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
security/MemberLoginForm.php
View File

@ -100,7 +100,12 @@ class MemberLoginForm extends LoginForm {
Session::clear('SessionForms.MemberLoginForm.Email');
Session::clear('SessionForms.MemberLoginForm.Remember');
if(isset($_REQUEST['BackURL']) && $backURL = $_REQUEST['BackURL']) {
if(
isset($_REQUEST['BackURL'])
&& $_REQUEST['BackURL']
// absolute redirection URLs may cause spoofing
&& Director::is_site_url($_REQUEST['BackURL'])
) {
Session::clear("BackURL");
Director::redirect($backURL);
} else {