[Owncloud] fixed redirect to desired page after login

[Frank Karlitschek]

Thanks :-)

On 18.05.2012, at 15:41, Michiel de Jong <michiel at unhosted.org> wrote:

> ok, i put it back.
> 
> this still needs to be fixed properly though.
> 
> On Fri, May 18, 2012 at 3:36 PM, Frank Karlitschek <frank at owncloud.org> wrote:
>> Attackers can do evil stuff if you don't filer header entries.
>> This code was introduced as part of a security fix a few weeks ago.
>> 
>> 
>> 
>> On 18.05.2012, at 15:20, Michiel de Jong <michiel at unhosted.org> wrote:
>> 
>>> how? it's a header() call.
>>> 
>>> ah i just found MTGap on irc. thanks!
>>> 
>>> On Fri, May 18, 2012 at 3:18 PM, Frank Karlitschek <frank at owncloud.org> wrote:
>>>> 
>>>> On 18.05.2012, at 15:16, Michiel de Jong <michiel at unhosted.org> wrote:
>>>> 
>>>>> Hi!
>>>>> 
>>>>> Since the new routing, if the user is made to log in, we were always
>>>>> sending her to the 'files' app, not to the page where she actually
>>>>> wanted to go. There was also htmlentities() in the redirect header
>>>>> which made no sense IMO.
>>>>> 
>>>>> As this is quite important code, i was waiting for someone in
>>>>> owncloud-dev to look at it together, but in the end i just committed
>>>>> this:
>>>>> 
>>>>> http://gitorious.org/owncloud/owncloud/commit/ea33b4aaa104252ff344e93a434e6c2eedcf438b/diffs/9b5e8a2c634e07d9c6e1693158e224eda7e5f673
>>>>> 
>>>> 
>>>> This introduces a XSS bug.
>>>> Please revert
>>>> 
>>>> 
>>>>> So maybe Georg or someone else should check if this is what was
>>>>> intended. At least it was broken before, and this commit fixes it.
>>>>> Have a nice release! tomorrow, right?
>>>>> 
>>>>> 
>>>>> cheers,
>>>>> Michiel
>>>>> _______________________________________________
>>>>> Owncloud mailing list
>>>>> Owncloud at kde.org
>>>>> https://mail.kde.org/mailman/listinfo/owncloud
>>>> 
>>> _______________________________________________
>>> Owncloud mailing list
>>> Owncloud at kde.org
>>> https://mail.kde.org/mailman/listinfo/owncloud
>>