Index: include/lib_auth.inc.php
===================================================================
RCS file: /repository/docweb/include/lib_auth.inc.php,v
retrieving revision 1.15
diff -u -r1.15 lib_auth.inc.php
--- include/lib_auth.inc.php	4 Dec 2006 23:18:04 -0000	1.15
+++ include/lib_auth.inc.php	5 Dec 2006 17:46:30 -0000
@@ -52,7 +52,7 @@
 function auth()
 {
     global $user, $password;
-        $return = $_SERVER['REQUEST_URI'];
+    $return = urlencode($_SERVER['REQUEST_URI']);
         
     if (isset($_COOKIE['MAGIC_COOKIE'])) {
 
Index: templates/all/www/login.tpl.php
===================================================================
RCS file: /repository/docweb/templates/all/www/login.tpl.php,v
retrieving revision 1.1
diff -u -r1.1 login.tpl.php
--- templates/all/www/login.tpl.php	10 Aug 2006 18:20:09 -0000	1.1
+++ templates/all/www/login.tpl.php	5 Dec 2006 17:46:31 -0000
@@ -4,7 +4,13 @@
 
 <p>
 <form method="post" name="login" action="/login.php">
-<input type="hidden" name="return" value="<?php echo rawurlencode(@$_REQUEST['return']); ?>" />
+<input type="hidden" name="return" value="<?php
+
+    if (isset($_REQUEST['return'])) {
+        echo htmlspecialchars($_REQUEST['return']);
+    }
+
+?>" />
 <table border="0" cellspacing="2" cellpadding="2">
   <tr>
     <th>Username</th>
Index: www/login.php
===================================================================
RCS file: /repository/docweb/www/login.php,v
retrieving revision 1.2
diff -u -r1.2 login.php
--- www/login.php	4 Dec 2006 23:18:04 -0000	1.2
+++ www/login.php	5 Dec 2006 17:46:31 -0000
@@ -7,9 +7,11 @@
     require_once '../include/lib_auth.inc.php';
     auth();
         
-        if (isset($_REQUEST['return']) && !empty($_REQUEST['return'])) {
-            header('Location: http://'.$_SERVER['HTTP_HOST'].$_REQUEST['return']);
-        }
+    if (isset($_REQUEST['return']) && !empty($_REQUEST['return'])
+        && strpos($_REQUEST['return'], "\n") === false) {
+
+        header('Location: http://'.$_SERVER['HTTP_HOST'].$_REQUEST['return']);
+    }
     echo 'You are logged in';
     echo is_admin() ? ' <strong>with admin rights</strong>.' : '.';
 } else {