diff options
| author | Andreas Fischer <bantu@phpbb.com> | 2015-04-28 22:17:37 +0200 |
|---|---|---|
| committer | Andreas Fischer <bantu@phpbb.com> | 2015-04-28 22:17:37 +0200 |
| commit | aa0c55ed8f0917c876cabdb03cda7a841d28a3a3 (patch) | |
| tree | b0e196028050ed83cf660d22d99943ca674c5d10 /phpBB/includes | |
| parent | 98c9734db4ab8a56faa5297c4994657da2d1599e (diff) | |
| parent | c1702b8e19a69c98ef049abb4e14157e3e208ed4 (diff) | |
| download | forums-aa0c55ed8f0917c876cabdb03cda7a841d28a3a3.tar forums-aa0c55ed8f0917c876cabdb03cda7a841d28a3a3.tar.gz forums-aa0c55ed8f0917c876cabdb03cda7a841d28a3a3.tar.bz2 forums-aa0c55ed8f0917c876cabdb03cda7a841d28a3a3.tar.xz forums-aa0c55ed8f0917c876cabdb03cda7a841d28a3a3.zip | |
Merge branch 'prep-release-3.1.4' into 3.1.x
* prep-release-3.1.4:
[ticket/security-180] Use language variable for redirect error in 3.1+
[ticket/security-180] Merge if statement with previous one in 3.1.x
[ticket/security-180] Add tests for redirecting to main URL
[ticket/security-180] Always fail when redirecting to an insecure URL
[ticket/security-180] Make sure that redirect goes to full URL plus slash
[ticket/security-180] Check if redirect URL contains board URL
Diffstat (limited to 'phpBB/includes')
| -rw-r--r-- | phpBB/includes/functions.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index e2e9b509d7..d460497669 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2309,7 +2309,7 @@ function redirect($url, $return = false, $disable_cd_check = false) // Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work) if (!$disable_cd_check && $url_parts['host'] !== $user->host) { - $url = generate_board_url(); + trigger_error('INSECURE_REDIRECT', E_USER_ERROR); } } else if ($url[0] == '/') @@ -2347,7 +2347,7 @@ function redirect($url, $return = false, $disable_cd_check = false) // Clean URL and check if we go outside the forum directory $url = $phpbb_path_helper->clean_url($url); - if (!$disable_cd_check && strpos($url, generate_board_url(true)) === false) + if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0) { trigger_error('INSECURE_REDIRECT', E_USER_ERROR); } |