From 5cabd56ac6d01af042c3a6ed12c0a16b56a41ce4 Mon Sep 17 00:00:00 2001
From: Sam Minnee <sam@silverstripe.com>
Date: Wed, 13 Oct 2010 03:36:39 +0000
Subject: [PATCH] ENHANCEMENT: allow ChangePasswordForm to redirect to BackURL
 (from #5420) (from r103229)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112126 467b73ca-7a2a-4603-9d3b-597d59a354a9
---
 security/ChangePasswordForm.php | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/security/ChangePasswordForm.php b/security/ChangePasswordForm.php
index eaecdfdae..f15e74425 100755
--- a/security/ChangePasswordForm.php
+++ b/security/ChangePasswordForm.php
@@ -20,6 +20,12 @@ class ChangePasswordForm extends Form {
 	 *                                     form - a {@link FieldSet} of
 	 */
 	function __construct($controller, $name, $fields = null, $actions = null) {
+		if(isset($_REQUEST['BackURL'])) {
+			$backURL = $_REQUEST['BackURL'];
+		} else {
+			$backURL = Session::get('BackURL');
+		}
+		
 		if(!$fields) {
 			$fields = new FieldSet();
 			if(Member::currentUser() && (!isset($_REQUEST['h']) || !Member::member_from_autologinhash($_REQUEST['h']))) {
@@ -35,6 +41,10 @@ class ChangePasswordForm extends Form {
 			);
 		}
 
+		if(isset($backURL)) {
+			$fields->push(new HiddenField('BackURL', 'BackURL', $backURL));
+		}
+
 		parent::__construct($controller, $name, $fields, $actions);
 	}
 
@@ -88,9 +98,19 @@ class ChangePasswordForm extends Form {
 					_t('Member.PASSWORDCHANGED', "Your password has been changed, and a copy emailed to you."),
 					"good");
 				Session::clear('AutoLoginHash');
-				$redirectURL = HTTP::setGetVar('BackURL', urlencode(Director::absoluteBaseURL()), Security::Link('login'));
-				Director::redirect($redirectURL);
-
+				
+				if (isset($_REQUEST['BackURL']) 
+					&& $_REQUEST['BackURL'] 
+					// absolute redirection URLs may cause spoofing 
+					&& Director::is_site_url($_REQUEST['BackURL'])
+				) {
+					Director::redirect($_REQUEST['BackURL']);
+				}
+				else {
+					// Redirect to default location - the login form saying "You are logged in as..."
+					$redirectURL = HTTP::setGetVar('BackURL', urlencode(Director::absoluteBaseURL()), Security::Link('login'));
+					Director::redirect($redirectURL);					
+				}
 			} else {
 				$this->clearMessage();
 				$this->sessionMessage(