From e7487082c32de87efd756bf05ae8539d38cda373 Mon Sep 17 00:00:00 2001 From: plegall Date: Thu, 29 Apr 2010 10:44:30 +0000 Subject: bug 1484: prevent XSS vulnerability, encode url. improvement: no need to transmit the REQUEST_URI from PHP, Smarty already knows it. git-svn-id: http://piwigo.org/svn/trunk@5990 68402e56-0260-453c-a942-63ccdbb3a9ee --- identification.php | 2 +- include/block.class.php | 1 - themes/default/template/identification.tpl | 2 +- themes/default/template/menubar_identification.tpl | 2 +- 4 files changed, 3 insertions(+), 4 deletions(-) diff --git a/identification.php b/identification.php index cbfd40947..89bc9fe85 100644 --- a/identification.php +++ b/identification.php @@ -54,7 +54,7 @@ if (isset($_POST['login'])) } else { - $redirect_to = isset($_POST['redirect']) ? $_POST['redirect'] : ''; + $redirect_to = isset($_POST['redirect']) ? urldecode($_POST['redirect']) : ''; $remember_me = isset($_POST['remember_me']) and $_POST['remember_me']==1; if ( try_log_user($_POST['username'], $_POST['password'], $remember_me) ) { diff --git a/include/block.class.php b/include/block.class.php index af84330bd..e8f091741 100644 --- a/include/block.class.php +++ b/include/block.class.php @@ -134,7 +134,6 @@ class BlockManager global $template; $template->set_filename('menubar', $file); - $template->assign(array('U_REDIRECT' => $_SERVER['REQUEST_URI'])); trigger_action('blockmanager_apply', array(&$this) ); foreach( $this->display_blocks as $id=>$block) diff --git a/themes/default/template/identification.tpl b/themes/default/template/identification.tpl index 1541fd471..1a34744ac 100644 --- a/themes/default/template/identification.tpl +++ b/themes/default/template/identification.tpl @@ -21,7 +21,7 @@
{'Connection settings'|@translate} - +