|
|
Found and fixed in CVS. Will be included in Mantis 1.1.0.
Index: logout_page.php
RCS file: /cvsroot/mantisbt/mantisbt/logout_page.php,v
retrieving revision 1.17
diff -u -r1.17 logout_page.php
--- logout_page.php 30 May 2004 01:49:31 -0000 1.17
+++ logout_page.php 21 Mar 2006 12:10:11 -0000
@@ -18,5 +18,5 @@
auth_http_set_logout_pending( true );
}
- print_header_redirect( config_get( 'logout_redirect_page' ) );
-
print_header_redirect( config_get( 'logout_redirect_page' ), / die / true, / sanitize / false );
?>
Index: core/print_api.php
RCS file: /cvsroot/mantisbt/mantisbt/core/print_api.php,v
retrieving revision 1.150
diff -u -r1.150 print_api.php
--- core/print_api.php 3 Feb 2006 03:46:12 -0000 1.150
+++ core/print_api.php 21 Mar 2006 12:09:41 -0000
@@ -26,15 +26,17 @@
immediately
If we have handled any errors on this page and the 'stop_on_errors' config
option is turned on, return false and don't redirect.
- function print_header_redirect( $p_url, $p_die = true ) {
-
$p_sanitize - true/false - true in the case where the URL is extracted from GET/POST or untrusted source.
-
This would be false if the URL is trusted (e.g. read from config_inc.php).
-
function print_header_redirect( $p_url, $p_die = true, $p_sanitize = true ) {
$t_use_iis = config_get( 'use_iis');
if ( ON == config_get( 'stop_on_errors' ) && error_handled() ) {
return false;
}
-
-
# validate the url as part of this site before continuing
- $t_url = string_sanitize_url( $p_url );
-
$t_url = $p_sanitize ? string_sanitize_url( $p_url ) : $p_url;
# don't send more headers if they have already been sent (guideweb)
if ( ! headers_sent() ) {
|
