From d6fdf887cec209a4ce92957afcbd3ac3b2f6168f Mon Sep 17 00:00:00 2001 From: "Michael Kaufmann (d00p)" Date: Wed, 19 Feb 2014 11:08:43 +0100 Subject: [PATCH] don't add session-id to external redirects, thx to Sephi Signed-off-by: Michael Kaufmann (d00p) --- admin_index.php | 6 ++-- admin_settings.php | 6 ++-- index.php | 34 ++++++++++---------- lib/functions/output/function.redirectTo.php | 8 +++-- 4 files changed, 29 insertions(+), 25 deletions(-) diff --git a/admin_index.php b/admin_index.php index 115af5ac..91836876 100644 --- a/admin_index.php +++ b/admin_index.php @@ -118,13 +118,13 @@ if ($page == 'overview') { $isnewerversion = 0; } } else { - redirectTo($update_check_uri.'/pretty', NULL); + redirectTo($update_check_uri.'/pretty', NULL, false); } } else { - redirectTo($update_check_uri.'/pretty', NULL); + redirectTo($update_check_uri.'/pretty', NULL, false); } } else { - redirectTo($update_check_uri.'/pretty', NULL); + redirectTo($update_check_uri.'/pretty', NULL, false); } } else { $lookfornewversion_lable = $lng['admin']['lookfornewversion']['clickhere']; diff --git a/admin_settings.php b/admin_settings.php index 4127bddd..1dc09367 100644 --- a/admin_settings.php +++ b/admin_settings.php @@ -202,7 +202,7 @@ if ($page == 'overview' && $userinfo['change_serversettings'] == '1') { $log->logAction(ADM_ACTION, LOG_WARNING, "wiped all cleartext mail passwords"); Database::query("UPDATE `" . TABLE_MAIL_USERS . "` SET `password` = '';"); Database::query("UPDATE `" . TABLE_PANEL_SETTINGS . "` SET `value` = '0' WHERE `settinggroup` = 'system' AND `varname` = 'mailpwcleartext'"); - redirectTo('admin_settings.php', array('s' => $s)); + redirectTo($filename, array('s' => $s)); } else { ask_yesno('admin_cleartextmailpws_reallywipe', $filename, array('page' => $page)); @@ -221,7 +221,7 @@ if ($page == 'overview' && $userinfo['change_serversettings'] == '1') { // Set the quota to 0 which means unlimited Database::query("UPDATE `" . TABLE_MAIL_USERS . "` SET `quota` = '0';"); Database::query("UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `email_quota_used` = '0'"); - redirectTo('admin_settings.php', array('s' => $s)); + redirectTo($filename, array('s' => $s)); } else { ask_yesno('admin_quotas_reallywipe', $filename, array('page' => $page)); @@ -259,7 +259,7 @@ if ($page == 'overview' && $userinfo['change_serversettings'] == '1') { // Update the Customer, if the used quota is bigger than the allowed quota Database::query("UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `email_quota` = `email_quota_used` WHERE `email_quota` < `email_quota_used`"); $log->logAction(ADM_ACTION, LOG_WARNING, 'enforcing mailquota to all customers: ' . Settings::Get('system.mail_quota') . ' MB'); - redirectTo('admin_settings.php', array('s' => $s)); + redirectTo($filename, array('s' => $s)); } else { ask_yesno('admin_quotas_reallyenforce', $filename, array('page' => $page)); diff --git a/index.php b/index.php index 39773305..b6a643f5 100644 --- a/index.php +++ b/index.php @@ -104,7 +104,7 @@ if ($action == 'login') { $rstlog = FroxlorLogger::getInstanceOf(array('loginname' => $_SERVER['REMOTE_ADDR'])); $rstlog->logAction(LOGIN_ACTION, LOG_WARNING, "Unknown user '" . $loginname . "' tried to login."); - redirectTo('index.php', array('showmessage' => '2'), true); + redirectTo('index.php', array('showmessage' => '2')); exit; } } @@ -116,7 +116,7 @@ if ($action == 'login') { $userinfo = $userinfo_stmt->fetch(PDO::FETCH_ASSOC); if ($userinfo['loginfail_count'] >= Settings::Get('login.maxloginattempts') && $userinfo['lastlogin_fail'] > (time() - Settings::Get('login.deactivatetime'))) { - redirectTo('index.php', array('showmessage' => '3'), true); + redirectTo('index.php', array('showmessage' => '3')); exit; } elseif ($userinfo['password'] == md5($password)) { // login correct @@ -141,7 +141,7 @@ if ($action == 'login') { $rstlog->logAction(LOGIN_ACTION, LOG_WARNING, "User '" . $loginname . "' tried to login with wrong password."); unset($userinfo); - redirectTo('index.php', array('showmessage' => '2'), true); + redirectTo('index.php', array('showmessage' => '2')); exit; } @@ -206,32 +206,32 @@ if ($action == 'login') { ); } Database::pexecute($stmt, $params); - + $qryparams = array(); if (isset($_POST['qrystr']) && $_POST['qrystr'] != "") { parse_str(urldecode($_POST['qrystr']), $qryparams); } $qryparams['s'] = $s; - + if ($userinfo['adminsession'] == '1') { if (hasUpdates($version)) { - redirectTo('admin_updates.php', array('s' => $s), true); + redirectTo('admin_updates.php', array('s' => $s)); } else { if (isset($_POST['script']) && $_POST['script'] != "") { - redirectTo($_POST['script'], $qryparams, true); + redirectTo($_POST['script'], $qryparams); } else { - redirectTo('admin_index.php', $qryparams, true); + redirectTo('admin_index.php', $qryparams); } } } else { if (isset($_POST['script']) && $_POST['script'] != "") { - redirectTo($_POST['script'], $qryparams, true); + redirectTo($_POST['script'], $qryparams); } else { - redirectTo('customer_index.php', $qryparams, true); + redirectTo('customer_index.php', $qryparams); } } } else { - redirectTo('index.php', array('showmessage' => '2'), true); + redirectTo('index.php', array('showmessage' => '2')); } exit; } else { @@ -323,7 +323,7 @@ if ($action == 'forgotpwd') { /* Check whether user is banned */ if ($user['deactivated']) { $message = $lng['pwdreminder']['notallowed']; - redirectTo('index.php', array('showmessage' => '5'), true); + redirectTo('index.php', array('showmessage' => '5')); } if (($adminchecked && Settings::Get('panel.allow_preset_admin') == '1') || $adminchecked == false) { @@ -415,12 +415,12 @@ if ($action == 'forgotpwd') { if ($_mailerror) { $rstlog = FroxlorLogger::getInstanceOf(array('loginname' => 'password_reset')); $rstlog->logAction(ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg); - redirectTo('index.php', array('showmessage' => '4', 'customermail' => $user['email']), true); + redirectTo('index.php', array('showmessage' => '4', 'customermail' => $user['email'])); exit; } $mail->ClearAddresses(); - redirectTo('index.php', array('showmessage' => '1'), true); + redirectTo('index.php', array('showmessage' => '1')); exit; } else { $rstlog = FroxlorLogger::getInstanceOf(array('loginname' => 'password_reset')); @@ -511,17 +511,17 @@ if ($action == 'resetpwd') { AND `userid` = :userid" ); Database::pexecute($stmt, array("activationcode" => $activationcode, "userid" => $result['userid'])); - redirectTo('index.php', array("showmessage" => '6'), true); + redirectTo('index.php', array("showmessage" => '6')); } } else { - redirectTo('index.php', array("showmessage" => '7'), true); + redirectTo('index.php', array("showmessage" => '7')); } } eval("echo \"" . getTemplate('rpwd') . "\";"); } else { - redirectTo('index.php', array("showmessage" => '7'), true); + redirectTo('index.php', array("showmessage" => '7')); } } else { diff --git a/lib/functions/output/function.redirectTo.php b/lib/functions/output/function.redirectTo.php index 886cf1f5..415b5a03 100644 --- a/lib/functions/output/function.redirectTo.php +++ b/lib/functions/output/function.redirectTo.php @@ -36,7 +36,7 @@ * - fixed bug #91 */ -function redirectTo($destination, $get_variables = null, $isRelative = false) { +function redirectTo($destination, $get_variables = null, $isRelative = true) { global $s; @@ -77,7 +77,11 @@ function redirectTo($destination, $get_variables = null, $isRelative = false) { exit; } elseif ($get_variables == null) { - $linker = new linker($destination, $s); + if ($isRelative) { + $linker = new linker($destination, $s); + } else { + $linker = new linker($destination); + } header('Location: ' . $linker->getLink()); exit; }