From 8a27a7dd61d92641daa481899fdaea7ec48ed77e Mon Sep 17 00:00:00 2001
From: Angie Byron <webchick@24967.no-reply.drupal.org>
Date: Mon, 21 Jun 2010 14:59:14 +0000
Subject: #733028 by cha0s, agentrickard: Fixed SA-CORE-2010-001 - Open
 redirection.

---
 includes/common.inc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'includes')

diff --git a/includes/common.inc b/includes/common.inc
index a170ee1bb..0cac24553 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -659,7 +659,8 @@ function drupal_encode_path($path) {
  */
 function drupal_goto($path = '', array $options = array(), $http_response_code = 302) {
   // A destination in $_GET always overrides the function arguments.
-  if (isset($_GET['destination'])) {
+  // We do not allow absolute URLs to be passed via $_GET, as this can be an attack vector.
+  if (isset($_GET['destination']) && !url_is_external($_GET['destination'])) {
     $destination = drupal_parse_url($_GET['destination']);
     $path = $destination['path'];
     $options['query'] = $destination['query'];
-- 
cgit v1.2.3