login - use parse_url to validate if the provided redirect string is …

…actually parseable to prevent redirect. looks like #4061 was incomplete (bugfix 3c2f32e)
opnsense · Jul 4, 2023 · 6bc025a · 6bc025a
1 parent e60e4cd
commit 6bc025a
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc
@@ -188,7 +188,12 @@ function session_auth()
             if (!empty($_GET['url'])) {
                 $tmp_url_parts = parse_url($_GET['url']);
                 if ($tmp_url_parts !== false) {
-                    $redir_uri = $tmp_url_parts['path'];
+                    $redir_uri = sprintf(
+                        '%s://%s/%s',
+                        isset($_SERVER['HTTPS']) ? 'https' : 'http',
+                        $_SERVER['HTTP_HOST'],
+                        ltrim($tmp_url_parts['path'], '/')
+                    );
                     $redir_uri .= !empty($tmp_url_parts['query']) ? "?" . $tmp_url_parts['query'] : "";
                     $redir_uri .= !empty($tmp_url_parts['fragment']) ? "#" . $tmp_url_parts['fragment'] : "";
                     header(url_safe("Location: {$redir_uri}"));