From 20ead233cabc8fefcd86bd99f08dadc261669300 Mon Sep 17 00:00:00 2001
From: Mischa POSLAWSKY <perl@shiar.org>
Date: Wed, 12 Jun 2019 20:49:28 +0200
Subject: [PATCH] login: forward redirect parameters on post form

Copy as explicit post field since get parameters are stripped since commit
v3.5-30-g1a94d9191a (2018-08-11) [strip logout parameter on form post].

Reported-by: Ben van Vianen
---
 login/form.inc.php | 1 +
 login/index.php    | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/login/form.inc.php b/login/form.inc.php
index c3913fb..7e78f82 100644
--- a/login/form.inc.php
+++ b/login/form.inc.php
@@ -1,6 +1,7 @@
 <h2>Inloggen</h2>
 
 <form action="?" method="post">
+	<input type="hidden" name="goto" value="<?php print htmlspecialchars(@$_REQUEST['goto']); ?>" />
 	<input id="login" name="login" placeholder="Gebruikersnaam" value="<?php
 		if (isset($_POST['login'])) print htmlspecialchars($_POST['login']);
 	?>" />
diff --git a/login/index.php b/login/index.php
index 86af074..8b4c223 100644
--- a/login/index.php
+++ b/login/index.php
@@ -42,9 +42,9 @@ if (empty($User)) {
 	return TRUE;
 }
 
-if (isset($_GET['goto'])) {
+if (isset($_REQUEST['goto'])) {
 	ob_clean();
-	$target = ltrim($_GET['goto'], '/');
+	$target = ltrim($_REQUEST['goto'], '/');
 	header("Location: /$target");
 	http_response_code(302);
 	exit;
-- 
2.30.0