From 217918e92de1237cd744a9afac77b5e93b7b68d8 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Mon, 4 Dec 2017 12:29:58 +0100
Subject: [inc/Util] Util::redirect() can now be told to redirect to
 $_POST['redirect']

---
 inc/util.inc.php | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'inc')

diff --git a/inc/util.inc.php b/inc/util.inc.php
index 963b3416..1fb5b78e 100644
--- a/inc/util.inc.php
+++ b/inc/util.inc.php
@@ -150,15 +150,21 @@ SADFACE;
 	 * Redirects the user via a '302 Moved' header.
 	 * An active session will be saved, any messages that haven't
 	 * been displayed yet will be appended to the redirect.
-	 * @param string $location Location to redirect to. "false" to redirect to same URL (useful after POSTs)
+	 * @param string|false $location Location to redirect to. "false" to redirect to same URL (useful after POSTs)
+	 * @param bool $preferRedirectPost if true, use the value from $_POST['redirect'] instead of $location
 	 */
-	public static function redirect($location = false)
+	public static function redirect($location = false, $preferRedirectPost = false)
 	{
 		if ($location === false) {
 			$location = preg_replace('/(&|\?)message\[\]\=[^&]*/', '\1', $_SERVER['REQUEST_URI']);
 		}
 		Session::save();
 		$messages = Message::toRequest();
+		if ($preferRedirectPost
+			&& ($redirect = Request::post('redirect', false, 'string')) !== false
+			&& !preg_match(',^(\w+\:|//),', $redirect) /* no uri scheme, no server */) {
+			$location = $redirect;
+		}
 		if (!empty($messages)) {
 			if (strpos($location, '?') === false) {
 				$location .= '?' . $messages;
-- 
cgit v1.2.3-55-g7522