use host name in redirect to prevent redirecting to arbitrary pages

2025-02-06 15:14:58 +00:00 · 2019-07-30 06:36:34 +02:00 · 2019-07-30 06:36:34 +02:00 · 90baea95f0
commit 90baea95f0
parent 3d5812c86d
1 changed files with 1 additions and 1 deletions
--- a/op/op.SetLanguage.php
+++ b/op/op.SetLanguage.php
@ -30,5 +30,5 @@ include("../inc/inc.Authentication.php");

 $session->setLanguage($_GET['lang']);

-header("Location: ".$_GET['referer']);
+header("Location: http".((isset($_SERVER['HTTPS']) && (strcmp($_SERVER['HTTPS'],'off')!=0)) ? "s" : "")."://".$_SERVER['HTTP_HOST'].$_GET['referer']);
 ?>