In includes/functions.php there exists code to prevent redirecting to domains outside of the scope of the phpBB installation. However, the code prevents redirecting to subdomains and www/non-www domains.
I believe there needs to be a means to allow redirecting to any domain / subdomain that is covered by the phpBB cookie set. For example with the following cookie settings:
Cookie Domain: .domain.com
phpBB Installation: forum.domain.com
Main Site: www.domain.com
If I setup a redirect outside of the subdomain, phpBB will prevent this in an effort to block malicious redirecting. However, I think it fair that phpBB should allow a redirect to anywhere where the phpBB cookie is valid.
This can be fixed in the includes/functions.php file, by modifying the redirect function. The easiest, but perhaps not the most elegant solution is to compare the $url_parts['host'] (the requested redirect's host name) to $config['cookie_domain'] (the specified cookie domain).
There are generally 4 configurations for the cookie domain:
- subdomain.domain.com or www.domain.com
The redirect function would need to compare the ending of the requested redirection host to see if it qualifies as a valid redirection domain.
An empty cookie domain skips and fails the test.
A cookie domain that does or does not start with the dot can match a redirection domain that is exactly equal to domain.com, or has a subdomain + domain.com.
If the cookie domain specifies either www or a subdomain, the redirection domain must match exactly.
This code seems to work with the above conditions. Though it isn't very elegant and merely skips any other redirect checks if it is successful.
The variable $config needs to be set as a global for the redirect function.