From 90baea95f062917635190ae5ca73268e80626d36 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Tue, 30 Jul 2019 06:36:34 +0200 Subject: [PATCH] use host name in redirect to prevent redirecting to arbitrary pages --- op/op.SetLanguage.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/op/op.SetLanguage.php b/op/op.SetLanguage.php index f20520c52..06c07651b 100644 --- a/op/op.SetLanguage.php +++ b/op/op.SetLanguage.php @@ -30,5 +30,5 @@ include("../inc/inc.Authentication.php"); $session->setLanguage($_GET['lang']); -header("Location: ".$_GET['referer']); +header("Location: http".((isset($_SERVER['HTTPS']) && (strcmp($_SERVER['HTTPS'],'off')!=0)) ? "s" : "")."://".$_SERVER['HTTP_HOST'].$_GET['referer']); ?>