From d95f070db852614fa18ccca6a4f12f4bffede1fd Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sat, 10 Jan 2015 23:25:54 +0100
Subject: [PATCH] Fix URL redirection issue in login_page.php

The fix for issue #17648 failed to correct all cases of redirection.

Alejo Popovici discovered that the regex checking for URLs pointing to
other domains considered an URL with a single '/' as local, allowing
redirection e.g. to http:/google.com on certain browsers.

Fixes #17997 (CVE-2014-6316)
---
 core/string_api.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/core/string_api.php b/core/string_api.php
index c17c613..e9f3472 100644
--- a/core/string_api.php
+++ b/core/string_api.php
@@ -252,8 +252,7 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
 
 	# Check for URL's pointing to other domains
 	if ( 0 == $t_type || empty( $t_matches['script'] ) ||
-		3 == $t_type && preg_match( '@(?:[^:]*)?://@', $t_url ) > 0 ) {
-
+		3 == $t_type && preg_match( '@(?:[^:]*)?:/*@', $t_url ) > 0 ) {
 		return ( $p_return_absolute ? $t_path . '/' : '' ) . 'index.php';
 	}
 
-- 
2.1.0