diff --git a/CHANGELOG b/CHANGELOG
index ca8972a48..22998576f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -382,6 +382,9 @@
                      Changes in version 5.1.47
 --------------------------------------------------------------------------------
 - output and check for reasonable values of upload_max_filesize, post_max_size and memory_limit
+- remove null bytes from login
+- remove null bytes from password when authenticating by ldap
+- check for valid referer uri when logging in
 
 --------------------------------------------------------------------------------
                      Changes in version 5.1.46
diff --git a/op/op.Login.php b/op/op.Login.php
index 63d05d9c8..840a881c5 100644
--- a/op/op.Login.php
+++ b/op/op.Login.php
@@ -71,15 +71,15 @@ if(isset($_REQUEST["lang"]) && strlen($_REQUEST["lang"])>0 && is_numeric(array_s
 
 $session = new Session($db);
 
-// TODO: by the PHP manual: The superglobals $_GET and $_REQUEST are already decoded.
-// Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results.
-
 $referuri = '';
 if (isset($_POST["referuri"]) && strlen($_POST["referuri"])>0) {
-	$referuri = trim(urldecode($_POST["referuri"]));
+	$referuri = trim($_POST["referuri"]);
 }
 else if (isset($_GET["referuri"]) && strlen($_GET["referuri"])>0) {
-	$referuri = trim(urldecode($_GET["referuri"]));
+	$referuri = trim($_GET["referuri"]);
+}
+if ($referuri !== '' && !preg_match('#^/[A-Za-z0-9/_\-.?=&]*$#', $referuri)) {
+	$referuri = '';
 }
 
 add_log_line();