From 8eeee03ca9e9bbba867803f0070e784b7dfd37a7 Mon Sep 17 00:00:00 2001 From: novgorodschi catalin Date: Fri, 3 Jul 2026 14:30:31 +0300 Subject: [PATCH] Fix (vulnerability) HTTP_HOST Fix vulnerability (HTTP_HOST) --- GameEngine/Admin/function.php | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/GameEngine/Admin/function.php b/GameEngine/Admin/function.php index e484e293..4e4da5a1 100755 --- a/GameEngine/Admin/function.php +++ b/GameEngine/Admin/function.php @@ -30,6 +30,22 @@ class funct } private function safeRedirect(){ + + $url = $_SERVER['HTTP_REFERER'] ?? ''; + + if (!empty($url)) { + $parts = parse_url($url); + + // Acceptăm doar URL-uri locale + if ( + empty($parts['host']) || + $parts['host'] === $_SERVER['HTTP_HOST'] + ) { + header('Location: ' . $url); + exit; + } + } + header('Location: admin.php'); exit; }