Index: openacs-4/packages/acs-lang/www/change-locale-include.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-lang/www/change-locale-include.tcl,v diff -u -r1.17.2.1 -r1.17.2.2 --- openacs-4/packages/acs-lang/www/change-locale-include.tcl 10 Sep 2015 08:21:27 -0000 1.17.2.1 +++ openacs-4/packages/acs-lang/www/change-locale-include.tcl 25 May 2016 09:22:59 -0000 1.17.2.2 @@ -4,12 +4,19 @@ # @author Peter Marklund (peter@collaboraid.biz) # @author Christian Hvid -if { (![info exists return_url] || $return_url eq "") } { +if { ![info exists return_url] || $return_url eq "" } { # Use referer header set return_url [ns_set iget [ns_conn headers] referer] } +# +# Check if the passed in value or the referer is faked +# +if {[util::external_url_p $return_url]} { + ad_page_contract_handle_datasource_error "invalid url" + ad_script_abort +} -if { (![info exists package_id] || $package_id eq "") } { +if { ![info exists package_id] || $package_id eq "" } { set package_id [ad_conn package_id] } @@ -50,6 +57,15 @@ if { [form is_valid locale] } { set return_url [element get_value locale return_url_info] set package_id [element get_value locale package_id_info] + + if {[util::external_url_p $return_url]} { + ad_page_contract_handle_datasource_error "invalid url" + ad_script_abort + } + if {![string is integer -strict $package_id]} + ad_page_contract_handle_datasource_error "invalid package_id" + ad_script_abort + } } # are we selecting package level locale as well?