[Owncloud] fixed redirect to desired page after login

Frank Karlitschek frank at owncloud.org
Fri May 18 16:40:19 UTC 2012 

I will create the final tar tomorrow evening (18:00 CET)

But everybody please keep in mind to only commit bugfixes that donĀ“t break stuff.


 
Frank


On 18.05.2012, at 18:32, Michael Gapczynski <mtgap at owncloud.com> wrote:

> It seems that the redirect isn't working with or without sanitizing the 
> redirect_url. I'm still trying to figure out what is going on with this.
> 
> I know the tar-file is being generated today, but is there a specific time?
> 
> 
> Michael
> 
> On Friday, May 18, 2012 03:42:24 PM Frank Karlitschek wrote:
>> Thanks :-)
>> 
>> On 18.05.2012, at 15:41, Michiel de Jong <michiel at unhosted.org> wrote:
>>> ok, i put it back.
>>> 
>>> this still needs to be fixed properly though.
>>> 
>>> On Fri, May 18, 2012 at 3:36 PM, Frank Karlitschek <frank at owncloud.org> 
> wrote:
>>>> Attackers can do evil stuff if you don't filer header entries.
>>>> This code was introduced as part of a security fix a few weeks ago.
>>>> 
>>>> On 18.05.2012, at 15:20, Michiel de Jong <michiel at unhosted.org> wrote:
>>>>> how? it's a header() call.
>>>>> 
>>>>> ah i just found MTGap on irc. thanks!
>>>>> 
>>>>> On Fri, May 18, 2012 at 3:18 PM, Frank Karlitschek <frank at owncloud.org> 
> wrote:
>>>>>> On 18.05.2012, at 15:16, Michiel de Jong <michiel at unhosted.org> wrote:
>>>>>>> Hi!
>>>>>>> 
>>>>>>> Since the new routing, if the user is made to log in, we were always
>>>>>>> sending her to the 'files' app, not to the page where she actually
>>>>>>> wanted to go. There was also htmlentities() in the redirect header
>>>>>>> which made no sense IMO.
>>>>>>> 
>>>>>>> As this is quite important code, i was waiting for someone in
>>>>>>> owncloud-dev to look at it together, but in the end i just committed
>>>>>>> this:
>>>>>>> 
>>>>>>> http://gitorious.org/owncloud/owncloud/commit/ea33b4aaa104252ff344e93a
>>>>>>> 434e6c2eedcf438b/diffs/9b5e8a2c634e07d9c6e1693158e224eda7e5f673>>>> 
>>>>>> This introduces a XSS bug.
>>>>>> Please revert
>>>>>> 
>>>>>>> So maybe Georg or someone else should check if this is what was
>>>>>>> intended. At least it was broken before, and this commit fixes it.
>>>>>>> Have a nice release! tomorrow, right?
>>>>>>> 
>>>>>>> 
>>>>>>> cheers,
>>>>>>> Michiel
>>>>>>> _______________________________________________
>>>>>>> Owncloud mailing list
>>>>>>> Owncloud at kde.org
>>>>>>> https://mail.kde.org/mailman/listinfo/owncloud
>>>>> 
>>>>> _______________________________________________
>>>>> Owncloud mailing list
>>>>> Owncloud at kde.org
>>>>> https://mail.kde.org/mailman/listinfo/owncloud
>> 
>> _______________________________________________
>> Owncloud mailing list
>> Owncloud at kde.org
>> https://mail.kde.org/mailman/listinfo/owncloud
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud

More information about the Owncloud mailing list