Merge pull request #3080 from owncloud/validate_redirect_mast

Disallow URLs containing a @

lib/base.php

@@ -631,9 +631,14 @@ class OC {
 		// Handle redirect URL for logged in users
 		if (isset($_REQUEST['redirect_url']) && OC_User::isLoggedIn()) {
 			$location = OC_Helper::makeURLAbsolute(urldecode($_REQUEST['redirect_url']));
+			
+			// Deny the redirect if the URL contains a @
+			// This prevents unvalidated redirects like ?redirect_url=:user@domain.com
+			if (strpos($location, '@') === FALSE) {
 				header('Location: ' . $location);
 				return;
 			}
+		}
 		// Handle WebDAV
 		if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') {
 			header('location: ' . OC_Helper::linkToRemote('webdav'));