diff options
| author | Greg Roach <greg@subaqua.co.uk> | 2021-09-29 08:41:15 +0100 |
|---|---|---|
| committer | Greg Roach <greg@subaqua.co.uk> | 2021-09-29 08:59:30 +0100 |
| commit | 551ad4afbcef2a72a6cf6461f1747762180b12c5 (patch) | |
| tree | 026d0fa08aa4d7947e4a8aa5442573ce48c7a1e2 /app/Http/RequestHandlers/AddSpouseToFamilyAction.php | |
| parent | e3ca0f87ab6e0eb7a88247dc2eefbb0b38263391 (diff) | |
| download | webtrees-551ad4afbcef2a72a6cf6461f1747762180b12c5.tar.gz webtrees-551ad4afbcef2a72a6cf6461f1747762180b12c5.tar.bz2 webtrees-551ad4afbcef2a72a6cf6461f1747762180b12c5.zip | |
Fix: unvalidated redirect
Diffstat (limited to 'app/Http/RequestHandlers/AddSpouseToFamilyAction.php')
| -rw-r--r-- | app/Http/RequestHandlers/AddSpouseToFamilyAction.php | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/app/Http/RequestHandlers/AddSpouseToFamilyAction.php b/app/Http/RequestHandlers/AddSpouseToFamilyAction.php index e0de3029c7..80755cb653 100644 --- a/app/Http/RequestHandlers/AddSpouseToFamilyAction.php +++ b/app/Http/RequestHandlers/AddSpouseToFamilyAction.php @@ -94,6 +94,9 @@ class AddSpouseToFamilyAction implements RequestHandlerInterface // Link the spouse to the family $family->createFact('1 ' . $link . ' @' . $spouse->xref() . '@', false); - return redirect($params['url'] ?? $spouse->url()); + $base_url = $request->getAttribute('base_url'); + $url = str_starts_with($params['url'], $base_url) ? $params['url'] : $spouse->url(); + + return redirect($url); } } |
