From 7192932022510d830d1fc2373a9edb80fee24f48 Mon Sep 17 00:00:00 2001
From: Damian Mooyman <damian@silverstripe.com>
Date: Tue, 8 Sep 2015 09:46:57 +1200
Subject: [PATCH] [ss-2015-015]: Fix insecure returnURL in DatabaseAdmin

---
 model/DatabaseAdmin.php | 28 ++++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/model/DatabaseAdmin.php b/model/DatabaseAdmin.php
index 94b0c37a9..541ddc807 100644
--- a/model/DatabaseAdmin.php
+++ b/model/DatabaseAdmin.php
@@ -90,17 +90,37 @@ class DatabaseAdmin extends Controller {
 		// Get all our classes
 		SS_ClassLoader::instance()->getManifest()->regenerate();
 
-		if(isset($_GET['returnURL'])) {
+		$url = $this->getReturnURL();
+		if($url) {
 			echo "<p>Setting up the database; you will be returned to your site shortly....</p>";
 			$this->doBuild(true);
 			echo "<p>Done!</p>";
-			$this->redirect($_GET['returnURL']);
+			$this->redirect($url);
 		} else {
-			$this->doBuild(isset($_REQUEST['quiet']) || isset($_REQUEST['from_installer']),
-				!isset($_REQUEST['dont_populate']));
+			$quiet = $this->request->requestVar('quiet') !== null;
+			$fromInstaller = $this->request->requestVar('from_installer') !== null;
+			$populate = $this->request->requestVar('dont_populate') === null;
+			$this->doBuild($quiet || $fromInstaller, $populate);
 		}
 	}
 
+	/**
+	 * Gets the url to return to after build
+	 *
+	 * @return string|null
+	 */
+	protected function getReturnURL() {
+		$url = $this->request->getVar('returnURL');
+
+		// Check that this url is a site url
+		if(empty($url) || !Director::is_site_url($url)) {
+			return null;
+		}
+
+		// Convert to absolute URL
+		return Director::absoluteURL($url, true);
+	}
+
 	/**
 	 * Check if database needs to be built, and build it if it does.
 	 */