From 563675de095fef98a8eb2fc7b948845b6a693eb5 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Thu, 23 Mar 2023 20:05:03 +0300
Subject:  * auth_internal OTP form: fix double-urlencode  * post-login
 redirect: handle ?return in a less idiotic fashion

---
 classes/handler/public.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'classes')

diff --git a/classes/handler/public.php b/classes/handler/public.php
index d776e27cd..d7a7010fe 100755
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -416,10 +416,10 @@ class Handler_Public extends Handler {
 				$_SESSION["login_error_msg"] ??= __("Incorrect username or password");
 			}
 
-			$return = clean($_REQUEST['return']);
+			$return = clean($_REQUEST['return'] ?? '');
 
-			if ($_REQUEST['return'] && mb_strpos($return, Config::get_self_url()) === 0) {
-				header("Location: " . clean($_REQUEST['return']));
+			if ($return && mb_strpos($return, Config::get_self_url()) === 0) {
+				header("Location: $return");
 			} else {
 				header("Location: " . Config::get_self_url());
 			}
-- 
cgit v1.2.3