diff options
author | Harald Eilertsen <haraldei@anduin.net> | 2024-06-12 21:05:28 +0200 |
---|---|---|
committer | Harald Eilertsen <haraldei@anduin.net> | 2024-06-13 13:34:20 +0200 |
commit | 605f9825209584cc79247ef8a45fda956968a19c (patch) | |
tree | fb83c7956bd712ed2829826fed0506d25551bd27 | |
parent | fb1c66fbc9705961454d86770511642b97b41c1a (diff) | |
download | volse-hubzilla-605f9825209584cc79247ef8a45fda956968a19c.tar.gz volse-hubzilla-605f9825209584cc79247ef8a45fda956968a19c.tar.bz2 volse-hubzilla-605f9825209584cc79247ef8a45fda956968a19c.zip |
Module\Rpost: Redirect to submitted post on success.
This eliminates a open redirect issue where it was possible to craft a
link that when clicked would take the victim to an external site
controlled by an attacker.
-rw-r--r-- | Zotlabs/Module/Rpost.php | 11 |
1 files changed, 1 insertions, 10 deletions
diff --git a/Zotlabs/Module/Rpost.php b/Zotlabs/Module/Rpost.php index 3b64fd2d8..286eb6459 100644 --- a/Zotlabs/Module/Rpost.php +++ b/Zotlabs/Module/Rpost.php @@ -62,15 +62,6 @@ class Rpost extends \Zotlabs\Web\Controller { } } - if(isset($_REQUEST['remote_return']) && $_REQUEST['remote_return']) { - $_SESSION['remote_return'] = $_REQUEST['remote_return']; - } - if(argc() > 1 && argv(1) === 'return') { - if($_SESSION['remote_return']) - goaway($_SESSION['remote_return']); - goaway(z_root() . '/network'); - } - if(isset($_REQUEST['type']) && $_REQUEST['type'] === 'html') { require_once('include/html2bbcode.php'); $_REQUEST['body'] = html2bbcode($_REQUEST['body']); @@ -106,7 +97,7 @@ class Rpost extends \Zotlabs\Web\Controller { 'body' => $_REQUEST['body'] ?? '', 'attachment' => $_REQUEST['attachment'] ?? '', 'source' => ((x($_REQUEST,'source')) ? strip_tags($_REQUEST['source']) : ''), - 'return_path' => 'rpost/return', + 'return_path' => 'hq', 'bbco_autocomplete' => 'bbcode', 'editor_autocomplete' => true, 'bbcode' => true, |