[Owncloud] fixed redirect to desired page after login
Michiel de Jong
michiel at unhosted.org
Fri May 18 13:41:42 UTC 2012
ok, i put it back.
this still needs to be fixed properly though.
On Fri, May 18, 2012 at 3:36 PM, Frank Karlitschek <frank at owncloud.org> wrote:
> Attackers can do evil stuff if you don't filer header entries.
> This code was introduced as part of a security fix a few weeks ago.
>
>
>
> On 18.05.2012, at 15:20, Michiel de Jong <michiel at unhosted.org> wrote:
>
>> how? it's a header() call.
>>
>> ah i just found MTGap on irc. thanks!
>>
>> On Fri, May 18, 2012 at 3:18 PM, Frank Karlitschek <frank at owncloud.org> wrote:
>>>
>>> On 18.05.2012, at 15:16, Michiel de Jong <michiel at unhosted.org> wrote:
>>>
>>>> Hi!
>>>>
>>>> Since the new routing, if the user is made to log in, we were always
>>>> sending her to the 'files' app, not to the page where she actually
>>>> wanted to go. There was also htmlentities() in the redirect header
>>>> which made no sense IMO.
>>>>
>>>> As this is quite important code, i was waiting for someone in
>>>> owncloud-dev to look at it together, but in the end i just committed
>>>> this:
>>>>
>>>> http://gitorious.org/owncloud/owncloud/commit/ea33b4aaa104252ff344e93a434e6c2eedcf438b/diffs/9b5e8a2c634e07d9c6e1693158e224eda7e5f673
>>>>
>>>
>>> This introduces a XSS bug.
>>> Please revert
>>>
>>>
>>>> So maybe Georg or someone else should check if this is what was
>>>> intended. At least it was broken before, and this commit fixes it.
>>>> Have a nice release! tomorrow, right?
>>>>
>>>>
>>>> cheers,
>>>> Michiel
>>>> _______________________________________________
>>>> Owncloud mailing list
>>>> Owncloud at kde.org
>>>> https://mail.kde.org/mailman/listinfo/owncloud
>>>
>> _______________________________________________
>> Owncloud mailing list
>> Owncloud at kde.org
>> https://mail.kde.org/mailman/listinfo/owncloud
>
More information about the Owncloud
mailing list