PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-06-25 16:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix open redirect in tag.php + language.php: reject protocol-relative URLs (//evil.com) by also checking for // prefix

Browse Source
This commit is contained in:
Pontoporeia
2026-06-24 14:15:14 +02:00
parent 6ecd3d4540
commit 84869ad968
3 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
app/public/admin/actions/language.php
View File

@@ -74,9 +74,10 @@ try {
}
$redirect = '/admin/contenus.php';
// Allow the caller to override the redirect
if (!empty($_POST['return']) && str_starts_with($_POST['return'], '/')) {
$redirect = $_POST['return'];
// Allow the caller to override the redirect (same-origin only, no protocol-relative)
$return = $_POST['return'] ?? '';
if ($return !== '' && str_starts_with($return, '/') && !str_starts_with($return, '//')) {
$redirect = $return;
}
header('Location: ' . $redirect);
exit();