From: Alexander Ebert <ebert@woltlab.com>
Date: Wed, 9 Oct 2013 13:57:49 +0000 (+0200)
Subject: Fixed wrong redirect after login and potential security issues
X-Git-Tag: 2.0.0_Beta_11~34^2~5
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=6e34696a213b153c9759481831c8fec039707e26;p=GitHub%2FWoltLab%2FWCF.git

Fixed wrong redirect after login and potential security issues
---

diff --git a/wcfsetup/install/files/js/WCF.User.js b/wcfsetup/install/files/js/WCF.User.js
index 7b935dd47d..a1415f247c 100644
--- a/wcfsetup/install/files/js/WCF.User.js
+++ b/wcfsetup/install/files/js/WCF.User.js
@@ -121,6 +121,11 @@ WCF.User.QuickLogin = {
 	 */
 	init: function() {
 		$('.loginLink').click($.proxy(this._render, this));
+		
+		// prepend protocol and hostname
+		$('#loginForm input[name=url]').val(function(index, value) {
+			return window.location.protocol + '//' + window.location.host + value;
+		});
 	},
 	
 	/**
diff --git a/wcfsetup/install/files/lib/acp/form/LoginForm.class.php b/wcfsetup/install/files/lib/acp/form/LoginForm.class.php
index ffdca16b23..e0a621b798 100755
--- a/wcfsetup/install/files/lib/acp/form/LoginForm.class.php
+++ b/wcfsetup/install/files/lib/acp/form/LoginForm.class.php
@@ -70,7 +70,14 @@ class LoginForm extends AbstractForm {
 	public function readParameters() {
 		parent::readParameters();
 		
-		if (!empty($_REQUEST['url'])) $this->url = $_REQUEST['url'];
+		if (!empty($_REQUEST['url'])) {
+			$this->url = StringUtil::trim($_REQUEST['url']);
+				
+			// discard URL if it is not an absolute URL of local content
+			if (!ApplicationHandler::getInstance()->isInternalURL($this->url)) {
+				$this->url = '';
+			}
+		}
 	}
 	
 	/**
diff --git a/wcfsetup/install/files/lib/form/LoginForm.class.php b/wcfsetup/install/files/lib/form/LoginForm.class.php
index 0152cd56cc..c8fe6505a0 100644
--- a/wcfsetup/install/files/lib/form/LoginForm.class.php
+++ b/wcfsetup/install/files/lib/form/LoginForm.class.php
@@ -51,7 +51,6 @@ class LoginForm extends \wcf\acp\form\LoginForm {
 		
 		$this->useCookies = 0;
 		if (isset($_POST['useCookies'])) $this->useCookies = intval($_POST['useCookies']);
-		if (isset($_POST['url'])) $this->url = StringUtil::trim($_POST['url']);
 	}
 	
 	/**
diff --git a/wcfsetup/install/files/lib/system/WCFACP.class.php b/wcfsetup/install/files/lib/system/WCFACP.class.php
index 8162f26206..bf1d5a027e 100644
--- a/wcfsetup/install/files/lib/system/WCFACP.class.php
+++ b/wcfsetup/install/files/lib/system/WCFACP.class.php
@@ -83,7 +83,7 @@ class WCFACP extends WCF {
 					$pageURL = $application->getPageURL();
 				}
 				
-				$path = $pageURL . 'acp/index.php/Login/' . SID_ARG_1ST . '&url=' . rawurlencode(WCF::getSession()->requestURI);
+				$path = $pageURL . 'acp/index.php/Login/' . SID_ARG_1ST . '&url=' . rawurlencode(RouteHandler::getProtocol() . $_SERVER['HTTP_HOST'] . WCF::getSession()->requestURI);
 				
 				HeaderUtil::redirect($path);
 				exit;