diff --git a/core/modules/user/user.module b/core/modules/user/user.module
index 0589862ca83ec9a39793d22536b69f57a557f565..836f101b1905dc852713051097233d3cbde763ba 100644
--- a/core/modules/user/user.module
+++ b/core/modules/user/user.module
@@ -1025,7 +1025,7 @@ function user_account_form_validate($form, &$form_state) {
 }
 
 function user_login_block($form) {
-  $form['#action'] = url(current_path(), array('query' => drupal_get_destination()));
+  $form['#action'] = url(current_path(), array('query' => drupal_get_destination(), 'external' => FALSE));
   $form['#id'] = 'user-login-form';
   $form['#validate'] = user_login_default_validators();
   $form['#submit'][] = 'user_login_submit';
diff --git a/core/modules/user/user.test b/core/modules/user/user.test
index c911088d8de196c5f753780a9d8c5e015be54eda..a4ebdd8882f3954e9a83d5bc485c6ed141287f73 100644
--- a/core/modules/user/user.test
+++ b/core/modules/user/user.test
@@ -1616,6 +1616,13 @@ class UserBlocksUnitTests extends DrupalWebTestCase {
     $this->drupalPost('filter/tips', $edit, t('Log in'));
     $this->assertNoText(t('User login'), t('Logged in.'));
     $this->assertPattern('!<title.*?' . t('Compose tips') . '.*?</title>!', t('Still on the same page after login for allowed page'));
+
+    // Check that the user login block is not vulnerable to information
+    // disclosure to third party sites.
+    $this->drupalLogout();
+    $this->drupalPost('http://example.com/', $edit, t('Log in'), array('external' => FALSE));
+    // Check that we remain on the site after login.
+    $this->assertEqual(url('user/' . $user->uid, array('absolute' => TRUE)), $this->getUrl(), t('Redirected to user profile page after login from the frontpage'));
   }
 
   /**