From eed355b798ec77ed8b67555087fc5866b522c5fc Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Fri, 10 Apr 2015 18:02:58 +0200
Subject: [PATCH 1/2] [ticket/security-180] Check if redirect URL contains
 board URL

SECURITY-180
---
 phpBB/includes/functions.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index f0657b9016..f79a0a9e52 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -2579,6 +2579,12 @@ function redirect($url, $return = false, $disable_cd_check = false)
 		}
 	}
 
+	// Make sure we don't redirect to external URLs
+	if (!$disable_cd_check && strpos($url, generate_board_url(true)) !== 0)
+	{
+		trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR);
+	}
+
 	// Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2
 	if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false)
 	{

From bca1b96b2e9235bbb4a3e7a104dd79e7f3761679 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sat, 11 Apr 2015 16:41:20 +0200
Subject: [PATCH 2/2] [ticket/security-180] Make sure that redirect goes to
 full URL plus slash

SECURITY-180
---
 phpBB/includes/functions.php     | 2 +-
 tests/security/redirect_test.php | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index f79a0a9e52..a6a98954de 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -2580,7 +2580,7 @@ function redirect($url, $return = false, $disable_cd_check = false)
 	}
 
 	// Make sure we don't redirect to external URLs
-	if (!$disable_cd_check && strpos($url, generate_board_url(true)) !== 0)
+	if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0)
 	{
 		trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR);
 	}
diff --git a/tests/security/redirect_test.php b/tests/security/redirect_test.php
index 872a331dc7..46ec5c8edb 100644
--- a/tests/security/redirect_test.php
+++ b/tests/security/redirect_test.php
@@ -24,6 +24,9 @@ class phpbb_security_redirect_test extends phpbb_security_test_base
 			array("http://localhost/phpBB/memberlist.php\n\rConnection: close", 'Tried to redirect to potentially insecure url.', false),
 			array('javascript:test', false, 'http://localhost/phpBB/../javascript:test'),
 			array('http://localhost/phpBB/index.php;url=', 'Tried to redirect to potentially insecure url.', false),
+			array('https://foobar.com\@http://localhost/phpBB', false, 'http://localhost/phpBB'),
+			array('https://foobar.com\@localhost/troll/http://localhost/', 'Tried to redirect to potentially insecure url.', false),
+			array('http://localhost.foobar.com\@localhost/troll/http://localhost/', 'Tried to redirect to potentially insecure url.', false),
 		);
 	}