Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

MDL-29925 improve redirect url cleanup

  • Loading branch information...
commit 581e8dba387f090d89382115fd850d8b44351526 1 parent 38e9a1c
Petr Škoda authored October 28, 2011

Showing 1 changed file with 31 additions and 23 deletions. Show diff stats Hide diff stats

  1. 54  lib/weblib.php
54  lib/weblib.php
@@ -2301,6 +2301,37 @@ function redirect($url, $message='', $delay=-1) {
2301 2301
         }
2302 2302
     } while (false);
2303 2303
 
  2304
+    // Technically, HTTP/1.1 requires Location: header to contain the absolute path.
  2305
+    // (In practice browsers accept relative paths - but still, might as well do it properly.)
  2306
+    // This code turns relative into absolute.
  2307
+    if (!preg_match('|^[a-z]+:|', $url)) {
  2308
+        // Get host name http://www.wherever.com
  2309
+        $hostpart = preg_replace('|^(.*?[^:/])/.*$|', '$1', $CFG->wwwroot);
  2310
+        if (preg_match('|^/|', $url)) {
  2311
+            // URLs beginning with / are relative to web server root so we just add them in
  2312
+            $url = $hostpart.$url;
  2313
+        } else {
  2314
+            // URLs not beginning with / are relative to path of current script, so add that on.
  2315
+            $url = $hostpart.preg_replace('|\?.*$|','',me()).'/../'.$url;
  2316
+        }
  2317
+        // Replace all ..s
  2318
+        while (true) {
  2319
+            $newurl = preg_replace('|/(?!\.\.)[^/]*/\.\./|', '/', $url);
  2320
+            if ($newurl == $url) {
  2321
+                break;
  2322
+            }
  2323
+            $url = $newurl;
  2324
+        }
  2325
+    }
  2326
+
  2327
+    // Sanitise url - we can not rely on moodle_url or our URL cleaning
  2328
+    // because they do not support all valid external URLs
  2329
+    $url = preg_replace('/[\x00-\x1F\x7F]/', '', $url);
  2330
+    $url = str_replace('"', '%22', $url);
  2331
+    $encodedurl = preg_replace("/\&(?![a-zA-Z0-9#]{1,8};)/", "&", $url);
  2332
+    $encodedurl = preg_replace('/^.*href="([^"]*)".*$/', "\\1", clean_text('<a href="'.$encodedurl.'" />', FORMAT_HTML));
  2333
+    $url = str_replace('&amp;', '&', $encodedurl);
  2334
+
2304 2335
     if (!empty($message)) {
2305 2336
         if ($delay === -1 || !is_numeric($delay)) {
2306 2337
             $delay = 3;
@@ -2309,26 +2340,6 @@ function redirect($url, $message='', $delay=-1) {
2309 2340
     } else {
2310 2341
         $message = get_string('pageshouldredirect');
2311 2342
         $delay = 0;
2312  
-        // We are going to try to use a HTTP redirect, so we need a full URL.
2313  
-        if (!preg_match('|^[a-z]+:|', $url)) {
2314  
-            // Get host name http://www.wherever.com
2315  
-            $hostpart = preg_replace('|^(.*?[^:/])/.*$|', '$1', $CFG->wwwroot);
2316  
-            if (preg_match('|^/|', $url)) {
2317  
-                // URLs beginning with / are relative to web server root so we just add them in
2318  
-                $url = $hostpart.$url;
2319  
-            } else {
2320  
-                // URLs not beginning with / are relative to path of current script, so add that on.
2321  
-                $url = $hostpart.preg_replace('|\?.*$|','',me()).'/../'.$url;
2322  
-            }
2323  
-            // Replace all ..s
2324  
-            while (true) {
2325  
-                $newurl = preg_replace('|/(?!\.\.)[^/]*/\.\./|', '/', $url);
2326  
-                if ($newurl == $url) {
2327  
-                    break;
2328  
-                }
2329  
-                $url = $newurl;
2330  
-            }
2331  
-        }
2332 2343
     }
2333 2344
 
2334 2345
     if (defined('MDL_PERF') || (!empty($CFG->perfdebug) and $CFG->perfdebug > 7)) {
@@ -2338,9 +2349,6 @@ function redirect($url, $message='', $delay=-1) {
2338 2349
         }
2339 2350
     }
2340 2351
 
2341  
-    $encodedurl = preg_replace("/\&(?![a-zA-Z0-9#]{1,8};)/", "&amp;", $url);
2342  
-    $encodedurl = preg_replace('/^.*href="([^"]*)".*$/', "\\1", clean_text('<a href="'.$encodedurl.'" />'));
2343  
-
2344 2352
     if ($delay == 0 && !$debugdisableredirect && !headers_sent()) {
2345 2353
         // workaround for IIS bug http://support.microsoft.com/kb/q176113/
2346 2354
         if (session_id()) {

0 notes on commit 581e8db

Please sign in to comment.
Something went wrong with that request. Please try again.