Issue #2140447 by larowlan, Heine: Open redirect in overlay (forward port of SA-CORE-2013-003).

core/modules/overlay/lib/Drupal/overlay/EventSubscriber/OverlaySubscriber.php

@@ -9,6 +9,7 @@
 
 use Drupal\Core\ContentNegotiation;
 use Drupal\Core\Routing\UrlGeneratorInterface;
+use Drupal\Component\Utility\Url;
 use Drupal\user\UserData;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 use Symfony\Component\HttpFoundation\RedirectResponse;
@@ -106,6 +107,10 @@ public function onRequest(GetResponseEvent $event) {
         // If this page shouldn't be rendered inside the overlay, redirect to
         // the parent.
         elseif (!path_is_admin($current_path)) {
+          // Prevent open redirects by ensuring the current path is not an absolute URL.
+          if (Url::isExternal($current_path)) {
+            $current_path = '<front>';
+          }
           $response = overlay_close_dialog($current_path, array('query' => drupal_get_query_parameters(NULL, array('render'))));
           $event->setResponse($response);
         }