-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.php
78 lines (71 loc) · 2.8 KB
/
index.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
<?php
/**
* Horde redirection script.
*
* Copyright 1999-2015 Horde LLC (http://www.horde.org/)
*
* See the enclosed file COPYING for license information (LGPL-2). If you
* did not receive this file, see http://www.horde.org/licenses/lgpl.
*
* @author Chuck Hagenbuch <[email protected]>
* @category Horde
* @license http://www.horde.org/licenses/lgpl LGPL-2
* @package Horde
*/
require_once __DIR__ . '/lib/Application.php';
Horde_Registry::appInit('horde', array(
'authentication' => 'none',
'nologintasks' => true
));
$main_page = Horde_Util::nonInputVar('horde_login_url', Horde_Util::getFormData('url'));
// Break up the requested URL in $main_page and run some sanity checks
// on it to prevent phishing and XSS attacks. If any of the checks
// fail, $main_page will be set to null.
if (!empty($main_page)) {
// Mute errors in case of unparseable URLs
$req = @parse_url($main_page);
// We assume that any valid redirect URL will be in the same
// cookie domain. This helps prevent rogue off-site Horde installs
// from mimicking the real server.
if (isset($req['host'])) {
$qcookiedom = preg_quote($conf['cookie']['domain']);
if (!preg_match('/' . $qcookiedom . '$/', $req['host'])) {
$main_page = null;
}
}
// Protocol whitelist: If the URL is fully qualified ...
if (isset($req['scheme']) ||
isset($req['host']) ||
isset($req['port']) ||
isset($req['user']) ||
isset($req['pass'])) {
// ... make sure it is either http or https.
$allowed_protocols = array('http', 'https');
if (empty($req['scheme']) ||
!in_array($req['scheme'], $allowed_protocols)) {
$main_page = null;
}
}
}
if ($main_page) {
$main_page = new Horde_Url($main_page);
} elseif (!$registry->getAuth()) {
/* Always redirect to login page if there is no incoming URL and nobody
* is authenticated. */
$main_page = Horde::url('login.php', true);
} elseif (($initial_app = $prefs->getValue('initial_application')) &&
($initial_app != 'horde') &&
$registry->hasPermission($initial_app)) {
$main_page = Horde::url($registry->getInitialPage($initial_app), true);
} elseif ($registry->getView() == Horde_Registry::VIEW_SMARTMOBILE) {
$main_page = $registry->getServiceLink('portal');
} elseif (($initial_page = $registry->getInitialPage('horde')) &&
!in_array(basename($initial_page), array('index.php', 'login.php'))) {
/* Next, try the initial horde page if it is something other than
* index.php or login.php, since that would lead to infinite loops. */
$main_page = Horde::url($initial_page, true);
} else {
/* Finally, fallback to the portal page. */
$main_page = $registry->getServiceLink('portal');
}
$main_page->redirect();