removing minor redirect vulnerability

web/concrete/core/controllers/single_pages/download_file.php

@@ -18,6 +18,16 @@ public function view($fID = 0, $rcID=NULL) {
 			$file = File::getByID($fID);
 			if ($file instanceof File && $file->getFileID() > 0) {
 
+				$rcID = Loader::helper('security')->sanitizeInt($rcID);
+				if ($rcID > 0) {
+					$rc = Page::getByID($rcID, 'ACTIVE');
+					if (is_object($rc) && !$rc->isError()) {
+						$rcp = new Permissions($rc);
+						if ($rcp->canViewPage()) {
+							$this->set('rc', $rc);
+						}
+					}
+				}
 				$fp = new Permissions($file);
 				if (!$fp->canViewFile()) {
 					return false;
@@ -68,6 +78,7 @@ public function submit_password($fID = 0) {
 			$f = File::getByID($fID);
 
 			$rcID = ($this->post('rcID')?$this->post('rcID'):NULL);
+			$rcID = Loader::helper('security')->sanitizeInt($rcID);
 
 			if ($f->getPassword() == $this->post('password')) {
 				if($this->post('force')) {

web/concrete/single_pages/download_file.php

@@ -2,12 +2,6 @@
 
 defined('C5_EXECUTE') or die("Access Denied.");
 
-// File ID = $fID
-// get the file and 
-// Find out where to take the user once they're done.
-// We check for a posted value, to see if this is the users first page load or after submitting a password, etc.
-$returnURL = ($_POST['returnURL']) ? $_POST['returnURL'] : $_SERVER['HTTP_REFERER'];
-
 ?>
 
 <h1><?=t('Download File')?></h1>
@@ -28,7 +22,6 @@
 		<? if(isset($force)) { ?>
 			<input type="hidden" value="<?= $force ?>" name="force" />
 		<? } ?>
-		<input type="hidden" value="<?= $returnURL ?>" name="returnURL" />
 		<input type="hidden" value="<?= $rcID ?>" name="rcID"/>
 		<label for="password"><?=t('Password')?>: <input type="password" name="password" /></label>
 		<br /><br />
@@ -37,6 +30,6 @@
 
 <? } ?>
 
-<? if ($returnURL) { ?>
-<p><a href="<?=$returnURL?>">&lt; <?=t('Back')?></a></p>
+<? if (is_object($rc)) { ?>
+<p><a href="<?=Loader::helper('navigation')->getLinkToCollection($rc)?>">&lt; <?=t('Back')?></a></p>
 <? } ?>