From 605f9825209584cc79247ef8a45fda956968a19c Mon Sep 17 00:00:00 2001
From: Harald Eilertsen <haraldei@anduin.net>
Date: Wed, 12 Jun 2024 21:05:28 +0200
Subject: Module\Rpost: Redirect to submitted post on success.

This eliminates a open redirect issue where it was possible to craft a
link that when clicked would take the victim to an external site
controlled by an attacker.
---
 Zotlabs/Module/Rpost.php | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/Zotlabs/Module/Rpost.php b/Zotlabs/Module/Rpost.php
index 3b64fd2d8..286eb6459 100644
--- a/Zotlabs/Module/Rpost.php
+++ b/Zotlabs/Module/Rpost.php
@@ -62,15 +62,6 @@ class Rpost extends \Zotlabs\Web\Controller {
 			}
 		}
 
-		if(isset($_REQUEST['remote_return']) && $_REQUEST['remote_return']) {
-			$_SESSION['remote_return'] = $_REQUEST['remote_return'];
-		}
-		if(argc() > 1 && argv(1) === 'return') {
-			if($_SESSION['remote_return'])
-				goaway($_SESSION['remote_return']);
-			goaway(z_root() . '/network');
-		}
-
 		if(isset($_REQUEST['type']) && $_REQUEST['type'] === 'html') {
 			require_once('include/html2bbcode.php');
 			$_REQUEST['body'] = html2bbcode($_REQUEST['body']);
@@ -106,7 +97,7 @@ class Rpost extends \Zotlabs\Web\Controller {
 			'body'                => $_REQUEST['body'] ?? '',
 			'attachment'          => $_REQUEST['attachment'] ?? '',
 			'source'              => ((x($_REQUEST,'source')) ? strip_tags($_REQUEST['source']) : ''),
-			'return_path'         => 'rpost/return',
+			'return_path'         => 'hq',
 			'bbco_autocomplete'   => 'bbcode',
 			'editor_autocomplete' => true,
 			'bbcode'              => true,
-- 
cgit v1.2.3