From 6b72467dba6f040fbf0b72dca9df765cc518d111 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Tue, 27 Jun 2017 13:52:15 +0000
Subject: [PATCH] SECURITY: Use getFullUrlForRedirect() in
 Special:CentralAuthAutoLogin/setCookies

This ensures that interwiki links cannot be used as returnto values.

This is triggerable by going to
mywiki.com/wiki/Special:Userlogin?returnto=google:Foo on a wiki
with centralauth where the user is already logged in.

Bug: T134931
---
 includes/specials/SpecialCentralAutoLogin.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/specials/SpecialCentralAutoLogin.php b/includes/specials/SpecialCentralAutoLogin.php
index 2566a2c..5d67723 100644
--- a/includes/specials/SpecialCentralAutoLogin.php
+++ b/includes/specials/SpecialCentralAutoLogin.php
@@ -533,7 +533,7 @@ class SpecialCentralAutoLogin extends UnlistedSpecialPage {
 					$returnToQuery = [];
 				}
 
-				$redirectUrl = $returnToTitle->getFullURL( $returnToQuery );
+				$redirectUrl = $returnToTitle->getFullUrlForRedirect( $returnToQuery );
 
 				$script .= "\n" . 'location.href = ' . Xml::encodeJsVar( $redirectUrl ) . ';';
 
-- 
1.9.5 (Apple Git-50.3)