From 7135a800b9da2c5bbec234bac7679831a10332af Mon Sep 17 00:00:00 2001
From: Georg Ringer <georg.ringer@gmail.com>
Date: Thu, 28 Jul 2016 18:01:48 +0200
Subject: [PATCH] [BUGFIX] Fix unsafe URL removal in EXT:felogin

A comma can be a valid char inside a url and must not used as
delimiter.

Resolves: #75915
Releases: master, 7.6
Change-Id: I0eb3c6389b5d28e96b981217d09c2fef5dbf331d
Reviewed-on: https://review.typo3.org/49255
Tested-by: Bamboo TYPO3com <info@typo3.com>
Reviewed-by: Sascha Egerer <sascha@sascha-egerer.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Frederic Gaus <frederic.gaus@flagbit.de>
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Reviewed-by: Jan Helke <typo3@helke.de>
Tested-by: Benni Mack <benni@typo3.org>
---
 .../felogin/Classes/Controller/FrontendLoginController.php    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php b/typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php
index 15812994832c..4e8ecb34adfc 100644
--- a/typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php
+++ b/typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php
@@ -797,9 +797,9 @@ class FrontendLoginController extends \TYPO3\CMS\Frontend\Plugin\AbstractPlugin
                 }
             }
         }
-        // Remove empty values
+        // Remove empty values, but keep "0" as value (that's why "strlen" is used as second parameter)
         if (!empty($redirect_url)) {
-            return GeneralUtility::trimExplode(',', implode(',', $redirect_url), true);
+            return array_filter($redirect_url, 'strlen');
         }
         return array();
     }
-- 
GitLab