From e7e2b5503580e42db9d91e0d599d61d3ff03c27e Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sat, 10 Jan 2015 23:25:54 +0100
Subject: [PATCH] Fix URL redirection issue in login_page.php

The fix for issue #17648 failed to correct all cases of redirection.

Alejo Popovici discovered that the regex checking for URLs pointing to
other domains considered an URL with a single '/' as local, allowing
redirection e.g. to http:/google.com on certain browsers.

Fixes #17997 (CVE-2015-1042)
---
 core/string_api.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/string_api.php b/core/string_api.php
index 567a54cfad..064cf69288 100644
--- a/core/string_api.php
+++ b/core/string_api.php
@@ -268,7 +268,7 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
 
 	# Check for URL's pointing to other domains
 	if( 0 == $t_type || empty( $t_matches['script'] ) ||
-		3 == $t_type && preg_match( '@(?:[^:]*)?://@', $t_url ) > 0 ) {
+		3 == $t_type && preg_match( '@(?:[^:]*)?:/*@', $t_url ) > 0 ) {
 
 		return ( $p_return_absolute ? $t_path . '/' : '' ) . 'index.php';
 	}