aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Eilertsen <haraldei@anduin.net>2024-06-12 21:05:28 +0200
committerHarald Eilertsen <haraldei@anduin.net>2024-06-13 13:34:20 +0200
commit605f9825209584cc79247ef8a45fda956968a19c (patch)
treefb83c7956bd712ed2829826fed0506d25551bd27
parentfb1c66fbc9705961454d86770511642b97b41c1a (diff)
downloadvolse-hubzilla-605f9825209584cc79247ef8a45fda956968a19c.tar.gz
volse-hubzilla-605f9825209584cc79247ef8a45fda956968a19c.tar.bz2
volse-hubzilla-605f9825209584cc79247ef8a45fda956968a19c.zip
Module\Rpost: Redirect to submitted post on success.
This eliminates a open redirect issue where it was possible to craft a link that when clicked would take the victim to an external site controlled by an attacker.
-rw-r--r--Zotlabs/Module/Rpost.php11
1 files changed, 1 insertions, 10 deletions
diff --git a/Zotlabs/Module/Rpost.php b/Zotlabs/Module/Rpost.php
index 3b64fd2d8..286eb6459 100644
--- a/Zotlabs/Module/Rpost.php
+++ b/Zotlabs/Module/Rpost.php
@@ -62,15 +62,6 @@ class Rpost extends \Zotlabs\Web\Controller {
}
}
- if(isset($_REQUEST['remote_return']) && $_REQUEST['remote_return']) {
- $_SESSION['remote_return'] = $_REQUEST['remote_return'];
- }
- if(argc() > 1 && argv(1) === 'return') {
- if($_SESSION['remote_return'])
- goaway($_SESSION['remote_return']);
- goaway(z_root() . '/network');
- }
-
if(isset($_REQUEST['type']) && $_REQUEST['type'] === 'html') {
require_once('include/html2bbcode.php');
$_REQUEST['body'] = html2bbcode($_REQUEST['body']);
@@ -106,7 +97,7 @@ class Rpost extends \Zotlabs\Web\Controller {
'body' => $_REQUEST['body'] ?? '',
'attachment' => $_REQUEST['attachment'] ?? '',
'source' => ((x($_REQUEST,'source')) ? strip_tags($_REQUEST['source']) : ''),
- 'return_path' => 'rpost/return',
+ 'return_path' => 'hq',
'bbco_autocomplete' => 'bbcode',
'editor_autocomplete' => true,
'bbcode' => true,