forward() allows for only http/https URLs
|Reported by:||jricher||Owned by:|
|Severity:||minor||Keywords:||redirect, forward, location, http|
The core function forward() prepends the site root to any inputs that don't start with http: or https:
While the intent of this is clear (give an unambiguous redirection for relative URLs), this falls apart when trying to redirect to a valid, absolute, and non-http URL. Examples of this usage include doing application level callbacks on a mobile device (app://parameter) or directing an action to content on an external non-http server, such as FTP.
The easiest fix for 1.7 would be to add an optional flag to the forward() call which would bypass the http:// check when set. A deeper fix would be to gut the forward() function's check and replace it with better filter logic.