Skip to content
Permalink
Browse files

bug 1484: prevent XSS vulnerability, encode url.

improvement: no need to transmit the REQUEST_URI from PHP, Smarty already
knows it.

git-svn-id: http://piwigo.org/svn/trunk@5990 68402e56-0260-453c-a942-63ccdbb3a9ee
  • Loading branch information...
plegall committed Apr 29, 2010
1 parent ba70c8f commit e7487082c32de87efd756bf05ae8539d38cda373
@@ -54,7 +54,7 @@
}
else
{
$redirect_to = isset($_POST['redirect']) ? $_POST['redirect'] : '';
$redirect_to = isset($_POST['redirect']) ? urldecode($_POST['redirect']) : '';
$remember_me = isset($_POST['remember_me']) and $_POST['remember_me']==1;
if ( try_log_user($_POST['username'], $_POST['password'], $remember_me) )
{
@@ -134,7 +134,6 @@ public function apply($var, $file)
global $template;
$template->set_filename('menubar', $file);
$template->assign(array('U_REDIRECT' => $_SERVER['REQUEST_URI']));
trigger_action('blockmanager_apply', array(&$this) );
foreach( $this->display_blocks as $id=>$block)
@@ -21,7 +21,7 @@
<fieldset>
<legend>{'Connection settings'|@translate}</legend>

<input type="hidden" name="redirect" value="{$U_REDIRECT}">
<input type="hidden" name="redirect" value="{$U_REDIRECT|urlencode}">

<ul>
<li>
@@ -28,7 +28,7 @@

{if isset($U_LOGIN)}
<form method="post" action="{$U_LOGIN}" id="quickconnect">
<input type="hidden" name="redirect" value="{$U_REDIRECT}">
<input type="hidden" name="redirect" value="{$smarty.server.REQUEST_URI|urlencode}">
<fieldset>
<legend>{'Quick connect'|@translate}</legend>
<div>

0 comments on commit e748708

Please sign in to comment.
You can’t perform that action at this time.