From 6e34696a213b153c9759481831c8fec039707e26 Mon Sep 17 00:00:00 2001
From: Alexander Ebert <ebert@woltlab.com>
Date: Wed, 9 Oct 2013 15:57:49 +0200
Subject: [PATCH] Fixed wrong redirect after login and potential security
 issues

---
 wcfsetup/install/files/js/WCF.User.js                   | 5 +++++
 wcfsetup/install/files/lib/acp/form/LoginForm.class.php | 9 ++++++++-
 wcfsetup/install/files/lib/form/LoginForm.class.php     | 1 -
 wcfsetup/install/files/lib/system/WCFACP.class.php      | 2 +-
 4 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/wcfsetup/install/files/js/WCF.User.js b/wcfsetup/install/files/js/WCF.User.js
index 7b935dd47d..a1415f247c 100644
--- a/wcfsetup/install/files/js/WCF.User.js
+++ b/wcfsetup/install/files/js/WCF.User.js
@@ -121,6 +121,11 @@ WCF.User.QuickLogin = {
 	 */
 	init: function() {
 		$('.loginLink').click($.proxy(this._render, this));
+		
+		// prepend protocol and hostname
+		$('#loginForm input[name=url]').val(function(index, value) {
+			return window.location.protocol + '//' + window.location.host + value;
+		});
 	},
 	
 	/**
diff --git a/wcfsetup/install/files/lib/acp/form/LoginForm.class.php b/wcfsetup/install/files/lib/acp/form/LoginForm.class.php
index ffdca16b23..e0a621b798 100755
--- a/wcfsetup/install/files/lib/acp/form/LoginForm.class.php
+++ b/wcfsetup/install/files/lib/acp/form/LoginForm.class.php
@@ -70,7 +70,14 @@ class LoginForm extends AbstractForm {
 	public function readParameters() {
 		parent::readParameters();
 		
-		if (!empty($_REQUEST['url'])) $this->url = $_REQUEST['url'];
+		if (!empty($_REQUEST['url'])) {
+			$this->url = StringUtil::trim($_REQUEST['url']);
+				
+			// discard URL if it is not an absolute URL of local content
+			if (!ApplicationHandler::getInstance()->isInternalURL($this->url)) {
+				$this->url = '';
+			}
+		}
 	}
 	
 	/**
diff --git a/wcfsetup/install/files/lib/form/LoginForm.class.php b/wcfsetup/install/files/lib/form/LoginForm.class.php
index 0152cd56cc..c8fe6505a0 100644
--- a/wcfsetup/install/files/lib/form/LoginForm.class.php
+++ b/wcfsetup/install/files/lib/form/LoginForm.class.php
@@ -51,7 +51,6 @@ class LoginForm extends \wcf\acp\form\LoginForm {
 		
 		$this->useCookies = 0;
 		if (isset($_POST['useCookies'])) $this->useCookies = intval($_POST['useCookies']);
-		if (isset($_POST['url'])) $this->url = StringUtil::trim($_POST['url']);
 	}
 	
 	/**
diff --git a/wcfsetup/install/files/lib/system/WCFACP.class.php b/wcfsetup/install/files/lib/system/WCFACP.class.php
index 8162f26206..bf1d5a027e 100644
--- a/wcfsetup/install/files/lib/system/WCFACP.class.php
+++ b/wcfsetup/install/files/lib/system/WCFACP.class.php
@@ -83,7 +83,7 @@ class WCFACP extends WCF {
 					$pageURL = $application->getPageURL();
 				}
 				
-				$path = $pageURL . 'acp/index.php/Login/' . SID_ARG_1ST . '&url=' . rawurlencode(WCF::getSession()->requestURI);
+				$path = $pageURL . 'acp/index.php/Login/' . SID_ARG_1ST . '&url=' . rawurlencode(RouteHandler::getProtocol() . $_SERVER['HTTP_HOST'] . WCF::getSession()->requestURI);
 				
 				HeaderUtil::redirect($path);
 				exit;
-- 
2.20.1