summaryrefslogtreecommitdiff
path: root/app/Http/RequestHandlers/AddSpouseToFamilyAction.php
diff options
context:
space:
mode:
authorGreg Roach <greg@subaqua.co.uk>2021-09-29 08:41:15 +0100
committerGreg Roach <greg@subaqua.co.uk>2021-09-29 08:59:30 +0100
commit551ad4afbcef2a72a6cf6461f1747762180b12c5 (patch)
tree026d0fa08aa4d7947e4a8aa5442573ce48c7a1e2 /app/Http/RequestHandlers/AddSpouseToFamilyAction.php
parente3ca0f87ab6e0eb7a88247dc2eefbb0b38263391 (diff)
downloadwebtrees-551ad4afbcef2a72a6cf6461f1747762180b12c5.tar.gz
webtrees-551ad4afbcef2a72a6cf6461f1747762180b12c5.tar.bz2
webtrees-551ad4afbcef2a72a6cf6461f1747762180b12c5.zip
Fix: unvalidated redirect
Diffstat (limited to 'app/Http/RequestHandlers/AddSpouseToFamilyAction.php')
-rw-r--r--app/Http/RequestHandlers/AddSpouseToFamilyAction.php5
1 files changed, 4 insertions, 1 deletions
diff --git a/app/Http/RequestHandlers/AddSpouseToFamilyAction.php b/app/Http/RequestHandlers/AddSpouseToFamilyAction.php
index e0de3029c7..80755cb653 100644
--- a/app/Http/RequestHandlers/AddSpouseToFamilyAction.php
+++ b/app/Http/RequestHandlers/AddSpouseToFamilyAction.php
@@ -94,6 +94,9 @@ class AddSpouseToFamilyAction implements RequestHandlerInterface
// Link the spouse to the family
$family->createFact('1 ' . $link . ' @' . $spouse->xref() . '@', false);
- return redirect($params['url'] ?? $spouse->url());
+ $base_url = $request->getAttribute('base_url');
+ $url = str_starts_with($params['url'], $base_url) ? $params['url'] : $spouse->url();
+
+ return redirect($url);
}
}