summaryrefslogtreecommitdiff
path: root/modules/user
diff options
context:
space:
mode:
Diffstat (limited to 'modules/user')
-rw-r--r--modules/user/user.module2
-rw-r--r--modules/user/user.test7
2 files changed, 8 insertions, 1 deletions
diff --git a/modules/user/user.module b/modules/user/user.module
index da61f44d8..87f7b5e9c 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -1282,7 +1282,7 @@ function user_user_categories() {
}
function user_login_block($form) {
- $form['#action'] = url($_GET['q'], array('query' => drupal_get_destination()));
+ $form['#action'] = url(current_path(), array('query' => drupal_get_destination(), 'external' => FALSE));
$form['#id'] = 'user-login-form';
$form['#validate'] = user_login_default_validators();
$form['#submit'][] = 'user_login_submit';
diff --git a/modules/user/user.test b/modules/user/user.test
index 6ecbfac77..40e6ec333 100644
--- a/modules/user/user.test
+++ b/modules/user/user.test
@@ -1455,6 +1455,13 @@ class UserBlocksUnitTests extends DrupalWebTestCase {
$this->drupalPost('filter/tips', $edit, t('Log in'));
$this->assertNoText(t('User login'), t('Logged in.'));
$this->assertPattern('!<title.*?' . t('Compose tips') . '.*?</title>!', t('Still on the same page after login for allowed page'));
+
+ // Check that the user login block is not vulnerable to information
+ // disclosure to third party sites.
+ $this->drupalLogout();
+ $this->drupalPost('http://example.com/', $edit, t('Log in'), array('external' => FALSE));
+ // Check that we remain on the site after login.
+ $this->assertEqual(url('user/' . $user->uid, array('absolute' => TRUE)), $this->getUrl(), t('Redirected to user profile page after login from the frontpage'));
}
/**
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-07 13:58:58 +0000