From 45171f674db608084694f696a216b734b3682b53 Mon Sep 17 00:00:00 2001
From: slackero <slackero@gmail.com>
Date: Sat, 14 Aug 2021 12:06:40 +0200
Subject: [PATCH] Fixes session hijacking via open redirection

---
 include/inc_lib/revision/revision.php | 2 +-
 login.php                             | 9 +++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/include/inc_lib/revision/revision.php b/include/inc_lib/revision/revision.php
index c576b265b..a5be520b3 100644
--- a/include/inc_lib/revision/revision.php
+++ b/include/inc_lib/revision/revision.php
@@ -10,5 +10,5 @@
  **/
 
 define('PHPWCMS_VERSION', '1.9.25-dev');
-define('PHPWCMS_RELEASE_DATE', '2021/08/09');
+define('PHPWCMS_RELEASE_DATE', '2021/08/14');
 define('PHPWCMS_REVISION', '552');
diff --git a/login.php b/login.php
index 1911d9817..3f9f4475d 100644
--- a/login.php
+++ b/login.php
@@ -75,10 +75,11 @@
 $wcs_user   = '';
 
 // where user should be redirected too after login
-if(!empty($_POST['ref_url'])) {
-    $ref_url = xss_clean($_POST['ref_url']);
-} elseif(!empty($_GET['ref'])) {
-    $ref_url = xss_clean(rawurldecode($_GET['ref']));
+if(isset($_POST['ref_url']) || isset($_GET['ref'])) {
+    $ref_url = xss_clean(empty($_POST['ref_url']) ? rawurldecode($_GET['ref']) : $_POST['ref_url']);
+    if (substr($ref_url, 0, strlen(PHPWCMS_URL)) !== PHPWCMS_URL) {
+        $ref_url = '';
+    }
 } else {
     $ref_url = '';
 }