Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center. // See if a URL has been explicitly provided in ReturnTo. If so, use it (as long as it points to this site).
if ((isset($_REQUEST['ReturnTo']) && $_REQUEST['ReturnTo']) &&
(valid_url($_REQUEST['ReturnTo']) && stristr($_REQUEST['ReturnTo'], $base_url))) {
$returnto = $_REQUEST['ReturnTo'];
The checks only validate that $base_url is a part of the ReturnTo, not that the ReturnTo URL points to a path on the site. As the entire ReturnTo is then used as $returnto, URLs to external sites can be used, eg:
http://example.com?dummy=http://base_url_here/bar/baz
Comments