From 8840efebdb050e9bd17f00ad06cdab2eebc25569 Mon Sep 17 00:00:00 2001
From: Yasen Pramatarov <yasen@lindeas.com>
Date: Wed, 23 Oct 2024 15:28:45 +0300
Subject: [PATCH] Fixes bugs in URL redirects

---
 app/pages/login.php    | 4 ++--
 app/pages/register.php | 4 ++--
 public_html/index.php  | 8 +++++++-
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/app/pages/login.php b/app/pages/login.php
index 926fd8c..f40d06e 100644
--- a/app/pages/login.php
+++ b/app/pages/login.php
@@ -42,7 +42,7 @@ try {
             $_SESSION['notice'] = "Login successful";
             $user_id = $userObject->getUserId($username)[0]['id'];
             $logObject->insertLog($user_id, "Login: User \"$username\" logged in. IP: $user_IP", 'user');
-            header('Location: index.php');
+            header('Location: ' . htmlspecialchars($app_root));
             exit();
 
         // login failed
@@ -50,7 +50,7 @@ try {
             $_SESSION['error'] = "Login failed.";
             $user_id = $userObject->getUserId($username)[0]['id'];
             $logObject->insertLog($user_id, "Login: Failed login attempt for user \"$username\". IP: $user_IP", 'user');
-            header('Location: index.php');
+            header('Location: ' . htmlspecialchars($app_root));
             exit();
         }
     }
diff --git a/app/pages/register.php b/app/pages/register.php
index 9c56b0b..57fd472 100644
--- a/app/pages/register.php
+++ b/app/pages/register.php
@@ -23,12 +23,12 @@ if ($config['registration_enabled'] === true) {
             // redirect to login
             if ($result === true) {
                 $_SESSION['notice'] = "Registration successful.<br />You can log in now.";
-                header('Location: index.php');
+                header('Location: ' . htmlspecialchars($app_root));
                 exit();
             // registration fail, redirect to login
             } else {
                 $_SESSION['error'] = "Registration failed. $result";
-                header('Location: index.php');
+                header('Location: ' . htmlspecialchars($app_root));
                 exit();
             }
         }
diff --git a/public_html/index.php b/public_html/index.php
index 6ebc014..7ae2bce 100644
--- a/public_html/index.php
+++ b/public_html/index.php
@@ -89,7 +89,7 @@ if (isset($_COOKIE['username'])) {
 
 // redirect to login
 if ( !isset($_COOKIE['username']) && ($page !== 'login' && $page !== 'register') ) {
-    header('Location: index.php?page=login');
+    header('Location: ' . htmlspecialchars($app_root) . '?page=login');
     exit();
 }
 
@@ -147,6 +147,12 @@ if ($page == 'logout') {
         $userRights = $userObject->getUserRights($user_id);
         $userTimezone = isset($userDetails[0]['timezone']) ? $userDetails[0]['timezone'] : 'UTC'; // Default to UTC if no timezone is set
 
+        // If by error a logged in user requests the login page
+        if ($page === 'login') {
+            header('Location: ' . htmlspecialchars($app_root));
+            exit();
+        }
+
         // check if the Jilo Server is running
         require '../app/classes/server.php';
         $serverObject = new Server($dbWeb);