From 6e78c4fcc04820717afe5cdb55112d4a22d6f2dc Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Tue, 23 Apr 2013 00:26:40 +0300
Subject: [PATCH] Disallow URLs containing a @

---
 lib/base.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/base.php b/lib/base.php
index 7b0967df9f9..a32ed460907 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -631,8 +631,13 @@ class OC {
 		// Handle redirect URL for logged in users
 		if (isset($_REQUEST['redirect_url']) && OC_User::isLoggedIn()) {
 			$location = OC_Helper::makeURLAbsolute(urldecode($_REQUEST['redirect_url']));
-			header('Location: ' . $location);
-			return;
+			
+			// Deny the redirect if the URL contains a @
+			// This prevents unvalidated redirects like ?redirect_url=:user@domain.com
+			if (strpos($location, '@') === FALSE) {
+				header('Location: ' . $location);
+				return;
+			}
 		}
 		// Handle WebDAV
 		if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') {
-- 
GitLab