From 4c7aaa034f568c9758c5bb221cc14eaf45c9503d Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Sat, 30 Nov 2013 15:42:29 -0600
Subject: [PATCH] auth: Handle REQUEST_URI not being authoritative

If _SERVER{REQUEST_URI} does not start with a leading slash, add one. This
will ensure that the redirect URL offered after a successful login will
be to an absolute url rather than an implied relative one.

Fixes osTicket/osTicket-1.7#858
---
 main.inc.php      | 1 -
 scp/staff.inc.php | 3 ++-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/main.inc.php b/main.inc.php
index ff0044d43..1f6a188f2 100644
--- a/main.inc.php
+++ b/main.inc.php
@@ -140,7 +140,6 @@
 
     #CURRENT EXECUTING SCRIPT.
     define('THISPAGE', Misc::currentURL());
-    define('THISURI', $_SERVER['REQUEST_URI']);
 
     # This is to support old installations. with no secret salt.
     if(!defined('SECRET_SALT')) define('SECRET_SALT',md5(TABLE_PREFIX.ADMIN_EMAIL));
diff --git a/scp/staff.inc.php b/scp/staff.inc.php
index 0c835d46a..359663a4c 100644
--- a/scp/staff.inc.php
+++ b/scp/staff.inc.php
@@ -49,7 +49,8 @@ require_once(INCLUDE_DIR.'class.csrf.php');
 if(!function_exists('staffLoginPage')) { //Ajax interface can pre-declare the function to  trap expired sessions.
     function staffLoginPage($msg) {
         global $ost, $cfg;
-        $_SESSION['_staff']['auth']['dest']=THISURI;
+        $_SESSION['_staff']['auth']['dest'] =
+            '/' . ltrim($_SERVER['REQUEST_URI'], '/');
         $_SESSION['_staff']['auth']['msg']=$msg;
         require(SCP_DIR.'login.php');
         exit;
-- 
GitLab