Nur realtive URIs für logon.pl?callback= erlauben.

[kivitendo-erp.git] / bin / mozilla / menunew.pl

diff --git a/bin/mozilla/menunew.pl b/bin/mozilla/menunew.pl
index afce1cf..b48abc8 100644 (file)
--- a/bin/mozilla/menunew.pl
+++ b/bin/mozilla/menunew.pl
@@ -34,6 +34,7 @@
 
 use English qw(-no_match_vars);
 use List::Util qw(max);
+use URI;
 
 use SL::Menu;
 
@@ -49,6 +50,10 @@ sub display {
   $form->{force_ul_width} = 1;
   $form->{date}           = clock_line();
   $form->{menu_items}     = acc_menu();
+  my $callback            = $form->unescape($form->{callback});
+  $callback               = URI->new($callback)->rel($callback) if $callback;
+  $callback               = "login.pl?action=company_logo"      if $callback =~ /^(.\/)?$/;
+  $form->{callback}       = $callback;
 
   print $form->parse_html_template("menu/menunew");
 }