* NTLM authentication: limit redirect, if NTLM auth could not be preformed, to same domain, EGroupware domain, or explicitly whitelisted domains

to fix issue "found" on www.autosectools.com

phpgwapi/ntlm/index.php

@@ -7,10 +7,35 @@
  * @package api
  * @subpackage authentication
  * @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
- * @copyright (c) 2008 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
+ * @copyright (c) 2008-2011 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
  * @version $Id$
  */
 
+/**
+ * Check if given domain is either whitelisted, the current one or the EGroupware one
+ *
+ * Used to NOT redirect to arbitrary urls.
+ *
+ * @param string $url full url or just path, later is always allowed, as it stays within the domain
+ * @return boolean
+ */
+function check_domain($url)
+{
+	$whitelisted = array(
+		$_SERVER['HTTP_HOST'],	// can contain :port
+		// add additional domains-names (just full qualified hostnames) here
+
+	);
+	if ($GLOBALS['egw_info']['server']['webserver_url'][0] === 'h')
+	{
+		$whitelisted[] = parse_url($GLOBALS['egw_info']['server']['webserver_url'], PHP_URL_HOST);
+	}
+	$parts = parse_url($url);
+	$host = $parts['host'].($parts['port'] ? ':'.$parts['port'] : '');
+
+	return $url[0] == '/' || in_array($host, $whitelisted);
+}
+
 /**
  * check if the given user has access
  *
@@ -36,7 +61,7 @@ function check_access(&$account)
 	}
 	if (!$sessionid)
 	{
-		if (isset($_GET['forward']))
+		if (isset($_GET['forward']) && check_domain($_GET['forward']))
 		{
 			header('Location: '.$_GET['forward']);
 		}
@@ -57,7 +82,7 @@ $GLOBALS['egw_info']['flags'] = array(
 // if you move this file somewhere else, you need to adapt the path to the header!
 include(dirname(__FILE__).'/../../header.inc.php');
 
-if (isset($_GET['forward']))
+if (isset($_GET['forward']) && check_domain($_GET['forward']))
 {
 	$forward = $_GET['forward'];
 	$GLOBALS['egw']->session->appsession('referer', 'login', $forward);