From c9c95fe4dd3db5ec63226eb1da7eecbcb1c9aab2 Mon Sep 17 00:00:00 2001
From: Alan Hardman <alanaktion@gmail.com>
Date: Sat, 12 Mar 2022 11:44:40 -0700
Subject: [PATCH] Fix open redirect issue with partial URLs

---
 app/controller/index.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/controller/index.php b/app/controller/index.php
index da262cf3..26fb8f0e 100644
--- a/app/controller/index.php
+++ b/app/controller/index.php
@@ -50,7 +50,7 @@ public function login($f3)
             if (!$f3->get("GET.to")) {
                 $f3->reroute("/");
             } else {
-                if (strpos($f3->get("GET.to"), "://") === false) {
+                if (strpos($f3->get("GET.to"), "://") === false || substr($f3->get("GET.to"), 0, 2) == "//") {
                     $f3->reroute($f3->get("GET.to"));
                 } else {
                     $f3->reroute("/");
@@ -93,7 +93,7 @@ public function loginpost($f3)
                 if (!$f3->get("POST.to")) {
                     $f3->reroute("/");
                 } else {
-                    if (strpos($f3->get("POST.to"), "://") === false) {
+                    if (strpos($f3->get("POST.to"), "://") === false || substr($f3->get("POST.to"), 0, 2) == "//") {
                         $f3->reroute($f3->get("POST.to"));
                     } else {
                         $f3->reroute("/");