From 664db33c2d4f86be8ba6de43eccd57615b87f7a9 Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Fri, 14 Aug 2015 16:07:33 -0700 Subject: [PATCH] SECURITY: Don't redirect to external sites after login The &redirectto= parameter can point to an external site that is a valid interwiki, in that case just redirect to the main page. Bug: T109140 Change-Id: I953f99b44636e676102b6cb3334508130ae101c8 --- includes/specials/SpecialUserlogin.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php index 0b500f4..3cad01b 100644 --- a/includes/specials/SpecialUserlogin.php +++ b/includes/specials/SpecialUserlogin.php @@ -1283,7 +1283,9 @@ class LoginForm extends SpecialPage { Hooks::run( 'PostLoginRedirect', array( &$returnTo, &$returnToQuery, &$type ) ); $returnToTitle = Title::newFromText( $returnTo ); - if ( !$returnToTitle ) { + // T109140: Don't redirect to external sites since MediaWiki will + // never generate a URL like that + if ( !$returnToTitle || $returnToTitle->isExternal() ) { $returnToTitle = Title::newMainPage(); } -- 2.4.3