79 lines
2.8 KiB
PHP
79 lines
2.8 KiB
PHP
<?php
|
|
/**
|
|
* Horde redirection script.
|
|
*
|
|
* Copyright 1999-2017 Horde LLC (http://www.horde.org/)
|
|
*
|
|
* See the enclosed file COPYING for license information (LGPL-2). If you
|
|
* did not receive this file, see http://www.horde.org/licenses/lgpl.
|
|
*
|
|
* @author Chuck Hagenbuch <chuck@horde.org>
|
|
* @category Horde
|
|
* @license http://www.horde.org/licenses/lgpl LGPL-2
|
|
* @package Horde
|
|
*/
|
|
|
|
require_once __DIR__ . '/lib/Application.php';
|
|
Horde_Registry::appInit('horde', array(
|
|
'authentication' => 'none',
|
|
'nologintasks' => true
|
|
));
|
|
|
|
$main_page = Horde_Util::nonInputVar('horde_login_url', Horde_Util::getFormData('url'));
|
|
|
|
// Break up the requested URL in $main_page and run some sanity checks
|
|
// on it to prevent phishing and XSS attacks. If any of the checks
|
|
// fail, $main_page will be set to null.
|
|
if (!empty($main_page)) {
|
|
// Mute errors in case of unparseable URLs
|
|
$req = @parse_url($main_page);
|
|
|
|
// We assume that any valid redirect URL will be in the same
|
|
// cookie domain. This helps prevent rogue off-site Horde installs
|
|
// from mimicking the real server.
|
|
if (isset($req['host'])) {
|
|
$qcookiedom = preg_quote($conf['cookie']['domain']);
|
|
if (!preg_match('/' . $qcookiedom . '$/', $req['host'])) {
|
|
$main_page = null;
|
|
}
|
|
}
|
|
|
|
// Protocol whitelist: If the URL is fully qualified ...
|
|
if (isset($req['scheme']) ||
|
|
isset($req['host']) ||
|
|
isset($req['port']) ||
|
|
isset($req['user']) ||
|
|
isset($req['pass'])) {
|
|
// ... make sure it is either http or https.
|
|
$allowed_protocols = array('http', 'https');
|
|
if (empty($req['scheme']) ||
|
|
!in_array($req['scheme'], $allowed_protocols)) {
|
|
$main_page = null;
|
|
}
|
|
}
|
|
}
|
|
|
|
if ($main_page) {
|
|
$main_page = new Horde_Url($main_page);
|
|
} elseif (!$registry->getAuth()) {
|
|
/* Always redirect to login page if there is no incoming URL and nobody
|
|
* is authenticated. */
|
|
$main_page = Horde::url('login.php', true);
|
|
} elseif (($initial_app = $prefs->getValue('initial_application')) &&
|
|
($initial_app != 'horde') &&
|
|
$registry->hasPermission($initial_app)) {
|
|
$main_page = Horde::url($registry->getInitialPage($initial_app), true);
|
|
} elseif ($registry->getView() == Horde_Registry::VIEW_SMARTMOBILE) {
|
|
$main_page = $registry->getServiceLink('portal');
|
|
} elseif (($initial_page = $registry->getInitialPage('horde')) &&
|
|
!in_array(basename($initial_page), array('index.php', 'login.php'))) {
|
|
/* Next, try the initial horde page if it is something other than
|
|
* index.php or login.php, since that would lead to infinite loops. */
|
|
$main_page = Horde::url($initial_page, true);
|
|
} else {
|
|
/* Finally, fallback to the portal page. */
|
|
$main_page = $registry->getServiceLink('portal');
|
|
}
|
|
|
|
$main_page->redirect();
|