From ef62b53cec5a479cc85aa15940ad9ebbcefde876 Mon Sep 17 00:00:00 2001
From: slawkens <slawkens@gmail.com>
Date: Mon, 8 Apr 2024 19:05:42 +0200
Subject: [PATCH] Don't allow redirect to external website

---
 system/login.php                   | 6 ------
 system/pages/accountmanagement.php | 7 +++++++
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/system/login.php b/system/login.php
index 095b849cd2..9f6d7454d6 100644
--- a/system/login.php
+++ b/system/login.php
@@ -42,12 +42,6 @@
 
 			$logged = false;
 			unset($account_logged);
-
-			if(isset($_REQUEST['redirect']))
-			{
-				header('Location: ' . urldecode($_REQUEST['redirect']));
-				exit;
-			}
 		}
 	}
 }
diff --git a/system/pages/accountmanagement.php b/system/pages/accountmanagement.php
index 498fe895f9..573fc2df48 100644
--- a/system/pages/accountmanagement.php
+++ b/system/pages/accountmanagement.php
@@ -52,9 +52,16 @@
 	{
 		$redirect = urldecode($_REQUEST['redirect']);
 
+		// should never happen, unless hacker modify the URL
+		if (strpos($_REQUEST['redirect'], BASE_URL) === false) {
+			error('Fatal error: Cannot redirect outside the website.');
+			return;
+		}
+
 		$twig->display('account.redirect.html.twig', array(
 			'redirect' => $redirect
 		));
+
 		return;
 	}