Fixed wrong redirect after login and potential security issues

diff --git a/wcfsetup/install/files/js/WCF.User.js b/wcfsetup/install/files/js/WCF.User.js
index 7b935dd47d4cbb7cf61c731e72547b37ac97cbbd..a1415f247c48d667cd062c7119e8f30f8db5ffbf 100644 (file)
--- a/wcfsetup/install/files/js/WCF.User.js
+++ b/wcfsetup/install/files/js/WCF.User.js
@@ -121,6 +121,11 @@ WCF.User.QuickLogin = {
         */
        init: function() {
                $('.loginLink').click($.proxy(this._render, this));
+               
+               // prepend protocol and hostname
+               $('#loginForm input[name=url]').val(function(index, value) {
+                       return window.location.protocol + '//' + window.location.host + value;
+               });
        },
        
        /**

diff --git a/wcfsetup/install/files/lib/acp/form/LoginForm.class.php b/wcfsetup/install/files/lib/acp/form/LoginForm.class.php
index ffdca16b23b119532b07007ab1b56da246ac5519..e0a621b798c6d41c105bb01372a1c729b803c22f 100755 (executable)
--- a/wcfsetup/install/files/lib/acp/form/LoginForm.class.php
+++ b/wcfsetup/install/files/lib/acp/form/LoginForm.class.php
@@ -70,7 +70,14 @@ class LoginForm extends AbstractForm {
        public function readParameters() {
                parent::readParameters();
                
-               if (!empty($_REQUEST['url'])) $this->url = $_REQUEST['url'];
+               if (!empty($_REQUEST['url'])) {
+                       $this->url = StringUtil::trim($_REQUEST['url']);
+                               
+                       // discard URL if it is not an absolute URL of local content
+                       if (!ApplicationHandler::getInstance()->isInternalURL($this->url)) {
+                               $this->url = '';
+                       }
+               }
        }
        
        /**

diff --git a/wcfsetup/install/files/lib/form/LoginForm.class.php b/wcfsetup/install/files/lib/form/LoginForm.class.php
index 0152cd56cc155cecf3df41ad8bd9df4fb6842e08..c8fe6505a0e9b617807d6b7ac72becd9f19ea0a5 100644 (file)
--- a/wcfsetup/install/files/lib/form/LoginForm.class.php
+++ b/wcfsetup/install/files/lib/form/LoginForm.class.php
@@ -51,7 +51,6 @@ class LoginForm extends \wcf\acp\form\LoginForm {
                
                $this->useCookies = 0;
                if (isset($_POST['useCookies'])) $this->useCookies = intval($_POST['useCookies']);
-               if (isset($_POST['url'])) $this->url = StringUtil::trim($_POST['url']);
        }
        
        /**

diff --git a/wcfsetup/install/files/lib/system/WCFACP.class.php b/wcfsetup/install/files/lib/system/WCFACP.class.php
index 8162f26206df15ed81e489b36c573af0f7443eac..bf1d5a027e5f1655f77bd4aad3f840c296bca51a 100644 (file)
--- a/wcfsetup/install/files/lib/system/WCFACP.class.php
+++ b/wcfsetup/install/files/lib/system/WCFACP.class.php
@@ -83,7 +83,7 @@ class WCFACP extends WCF {
                                        $pageURL = $application->getPageURL();
                                }
                                
-                               $path = $pageURL . 'acp/index.php/Login/' . SID_ARG_1ST . '&url=' . rawurlencode(WCF::getSession()->requestURI);
+                               $path = $pageURL . 'acp/index.php/Login/' . SID_ARG_1ST . '&url=' . rawurlencode(RouteHandler::getProtocol() . $_SERVER['HTTP_HOST'] . WCF::getSession()->requestURI);
                                
                                HeaderUtil::redirect($path);
                                exit;