Pārlūkot izejas kodu

Merge pull request #116 from jdarwood007/check-schema-loginurl

Check the log(in|out) urls prior to using them
emanuele45 12 gadi atpakaļ
vecāks
revīzija
59e3a85dc3
1 mainītis faili ar 11 papildinājumiem un 1 dzēšanām
  1. 11 1
      Sources/LogInOut.php

+ 11 - 1
Sources/LogInOut.php

@@ -115,6 +115,11 @@ function Login2()
 		// Some whitelisting for login_url...
 		if (empty($_SESSION['login_url']))
 			redirectexit();
+		elseif (!empty($_SESSION['login_url']) && (strpos('http://', $_SESSION['login_url']) === false && strpos('https://', $_SESSION['login_url']) === false))
+		{
+			unset ($_SESSION['login_url']);
+			redirectexit();
+		}
 		else
 		{
 			// Best not to clutter the session data too much...
@@ -607,6 +612,11 @@ function Logout($internal = false, $redirect = true)
 	{
 		if (empty($_SESSION['logout_url']))
 			redirectexit('', $context['server']['needs_login_fix']);
+		elseif (!empty($_SESSION['logout_url']) && (strpos('http://', $_SESSION['logout_url']) === false && strpos('https://', $_SESSION['logout_url']) === false))
+		{
+			unset ($_SESSION['logout_url']);
+			redirectexit();
+		}
 		else
 		{
 			$temp = $_SESSION['logout_url'];
@@ -740,4 +750,4 @@ function validatePasswordFlood($id_member, $password_flood_value = false, $was_c
 
 }
 
-?>
+?>