Page MenuHomePhabricator
Files F1497060

0001-SECURITY-Don-t-redirect-to-external-sites-after-logi.patch
Legoktm (Legoktm)
Actions

Authored By
Legoktm
Aug 14 2015, 11:07 PM
Size
1 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Don-t-redirect-to-external-sites-after-logi.patch
View Options

From 664db33c2d4f86be8ba6de43eccd57615b87f7a9 Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@gmail.com>
Date: Fri, 14 Aug 2015 16:07:33 -0700
Subject: [PATCH] SECURITY: Don't redirect to external sites after login
The &redirectto= parameter can point to an external site that is a valid
interwiki, in that case just redirect to the main page.
Bug: T109140
Change-Id: I953f99b44636e676102b6cb3334508130ae101c8
---
includes/specials/SpecialUserlogin.php | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php
index 0b500f4..3cad01b 100644
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -1283,7 +1283,9 @@ class LoginForm extends SpecialPage {
Hooks::run( 'PostLoginRedirect', array( &$returnTo, &$returnToQuery, &$type ) );
$returnToTitle = Title::newFromText( $returnTo );
- if ( !$returnToTitle ) {
+ // T109140: Don't redirect to external sites since MediaWiki will
+ // never generate a URL like that
+ if ( !$returnToTitle || $returnToTitle->isExternal() ) {
$returnToTitle = Title::newMainPage();
}
--
2.4.3

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
1528334
Default Alt Text
0001-SECURITY-Don-t-redirect-to-external-sites-after-logi.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL