From d8803aaac2c5297adeb041b2ecdd4dd22c5766e0 Mon Sep 17 00:00:00 2001
From: wrongecho <marcus@itflow.org>
Date: Mon, 6 Oct 2025 16:32:42 +0100
Subject: [PATCH] prevent open redirects upon agent login

---
 login.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/login.php b/login.php
index 7be23041..b40c0ea3 100644
--- a/login.php
+++ b/login.php
@@ -215,8 +215,13 @@ if (isset($_POST['login'])) {
                 //}
 
             }
-            if (isset($_GET['last_visited'])) {
+
+            // Redirect to last visited or config home
+
+            if (isset($_GET['last_visited']) && (str_starts_with(base64_decode($_GET['last_visited']), '/agent') || str_starts_with(base64_decode($_GET['last_visited']), '/admin'))) {
+
                 redirect($_SERVER["REQUEST_SCHEME"] . "://" . $config_base_url . base64_decode($_GET['last_visited']) );
+
             } else {
                 redirect("agent/$config_start_page");
             }