From cb2a37bf6a0ad542506cace32f108cc9927315a8 Mon Sep 17 00:00:00 2001
From: markjcrane <markjcrane@gmail.com>
Date: Sun, 25 Jul 2021 14:14:53 -0600
Subject: [PATCH] Santize the login destination url that is picked up from the
 database

---
 resources/login.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/resources/login.php b/resources/login.php
index 8c743553fe..251064d97e 100644
--- a/resources/login.php
+++ b/resources/login.php
@@ -242,8 +242,15 @@
 //set variable if not set
 	if (!isset($_SESSION['login']['domain_name_visible']['boolean'])) { $_SESSION['login']['domain_name_visible']['boolean'] = null; }
 
-//set a default login destination
-	if (strlen($_SESSION['login']['destination']['url']) == 0) {
+//santize the login destination url and set a default value
+	if (isset($_SESSION['login']['destination']['url'])) {
+		$destination_path = parse_url($_SESSION['login']['destination']['url'])['path'];
+		$destination_query = parse_url($_SESSION['login']['destination']['url'])['query'];
+		$destination_path = preg_replace('#[^a-zA-Z0-9_\-\./]#', '', $destination_path);
+		$destination_query = preg_replace('#[^a-zA-Z0-9_\-\./&=]#', '', $destination_query);
+		$_SESSION['login']['destination']['url'] = (strlen($destination_query) > 0) ? $destination_path.'?'.$destination_query : $destination_path;
+	}
+	else {
 		$_SESSION['login']['destination']['url'] = PROJECT_PATH."/core/user_settings/user_dashboard.php";
 	}