diff options
| author | Andreas Fischer <bantu@phpbb.com> | 2015-04-28 22:17:11 +0200 |
|---|---|---|
| committer | Andreas Fischer <bantu@phpbb.com> | 2015-04-28 22:17:11 +0200 |
| commit | c1702b8e19a69c98ef049abb4e14157e3e208ed4 (patch) | |
| tree | 70a2dc48b8d18697b79d9be85816badb93aa2237 /phpBB/includes/functions.php | |
| parent | 969718fc91cc2343332d0b89d9e842a8a1c2c1d3 (diff) | |
| parent | d7c96cc60ca5836356a0c4f0bb9a9976a4a232ab (diff) | |
| download | forums-c1702b8e19a69c98ef049abb4e14157e3e208ed4.tar forums-c1702b8e19a69c98ef049abb4e14157e3e208ed4.tar.gz forums-c1702b8e19a69c98ef049abb4e14157e3e208ed4.tar.bz2 forums-c1702b8e19a69c98ef049abb4e14157e3e208ed4.tar.xz forums-c1702b8e19a69c98ef049abb4e14157e3e208ed4.zip | |
Merge remote-tracking branch 'phpbb-security/ticket/security-180-asc' into prep-release-3.1.4
* phpbb-security/ticket/security-180-asc:
[ticket/security-180] Use language variable for redirect error in 3.1+
[ticket/security-180] Merge if statement with previous one in 3.1.x
[ticket/security-180] Add tests for redirecting to main URL
[ticket/security-180] Always fail when redirecting to an insecure URL
[ticket/security-180] Make sure that redirect goes to full URL plus slash
[ticket/security-180] Check if redirect URL contains board URL
Diffstat (limited to 'phpBB/includes/functions.php')
| -rw-r--r-- | phpBB/includes/functions.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 4fdeb12d3a..cc5d185f4e 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2309,7 +2309,7 @@ function redirect($url, $return = false, $disable_cd_check = false) // Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work) if (!$disable_cd_check && $url_parts['host'] !== $user->host) { - $url = generate_board_url(); + trigger_error('INSECURE_REDIRECT', E_USER_ERROR); } } else if ($url[0] == '/') @@ -2347,7 +2347,7 @@ function redirect($url, $return = false, $disable_cd_check = false) // Clean URL and check if we go outside the forum directory $url = $phpbb_path_helper->clean_url($url); - if (!$disable_cd_check && strpos($url, generate_board_url(true)) === false) + if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0) { trigger_error('INSECURE_REDIRECT', E_USER_ERROR); } |