website fix

This commit is contained in:
Frank Harris 2025-10-22 10:03:37 -04:00
parent e14794bc59
commit 309d08497b
58 changed files with 1690 additions and 363 deletions

View file

@ -23,8 +23,35 @@ if (isset($_COOKIE[session_name()])) {
// Destroy the session
session_destroy();
// Optional safe return_to handling
$return_raw = $_GET['return_to'] ?? '';
// Determine site root (prefer up to /_website)
$script = $_SERVER['SCRIPT_NAME'] ?? '';
$pos = strpos($script, '/_website');
$siteRoot = $pos !== false ? substr($script, 0, $pos + strlen('/_website')) : rtrim(dirname($script), '/\\');
// Redirect to home page
header('Location: /');
// sanitize: disallow absolute URLs (with protocol), CR/LF; allow safe path characters.
$sanitize_return = function($p) use ($siteRoot) {
$p = trim((string)$p);
if ($p === '') return '';
// disallow absolute URLs or protocol-relative paths
if (preg_match('#^(https?:)?//#i', $p)) return '';
if (strpos($p, "\n") !== false || strpos($p, "\r") !== false) return '';
// allow only safe characters (slash, query, percent-encodings, alnum and a few safe symbols)
if (!preg_match('#^[A-Za-z0-9_./?&=%:\-]+$#', $p)) return '';
// If it already starts with '/', treat it as an absolute path and return as-is
if (strpos($p, '/') === 0) {
return $p;
}
// Otherwise, build an absolute path under the site root
return $siteRoot . '/' . ltrim($p, '/');
};
$sanitized = $sanitize_return($return_raw);
if ($sanitized !== '') {
header('Location: ' . $sanitized);
} else {
header('Location: ' . $siteRoot . '/index.php');
}
exit();
?>