[Owncloud] fixed redirect to desired page after login

Michiel de Jong michiel at unhosted.org
Fri May 18 16:39:01 UTC 2012 

for me it works if you remove htmlentities() on line 315 of lib/utils.php.

To test, log out, then visit /?app=music&a=b

Current master will make you go to /?app=music&a=b

On Fri, May 18, 2012 at 6:32 PM, Michael Gapczynski <mtgap at owncloud.com> wrote:
> It seems that the redirect isn't working with or without sanitizing the
> redirect_url. I'm still trying to figure out what is going on with this.
>
> I know the tar-file is being generated today, but is there a specific time?
>
>
> Michael
>
> On Friday, May 18, 2012 03:42:24 PM Frank Karlitschek wrote:
>> Thanks :-)
>>
>> On 18.05.2012, at 15:41, Michiel de Jong <michiel at unhosted.org> wrote:
>> > ok, i put it back.
>> >
>> > this still needs to be fixed properly though.
>> >
>> > On Fri, May 18, 2012 at 3:36 PM, Frank Karlitschek <frank at owncloud.org>
> wrote:
>> >> Attackers can do evil stuff if you don't filer header entries.
>> >> This code was introduced as part of a security fix a few weeks ago.
>> >>
>> >> On 18.05.2012, at 15:20, Michiel de Jong <michiel at unhosted.org> wrote:
>> >>> how? it's a header() call.
>> >>>
>> >>> ah i just found MTGap on irc. thanks!
>> >>>
>> >>> On Fri, May 18, 2012 at 3:18 PM, Frank Karlitschek <frank at owncloud.org>
> wrote:
>> >>>> On 18.05.2012, at 15:16, Michiel de Jong <michiel at unhosted.org> wrote:
>> >>>>> Hi!
>> >>>>>
>> >>>>> Since the new routing, if the user is made to log in, we were always
>> >>>>> sending her to the 'files' app, not to the page where she actually
>> >>>>> wanted to go. There was also htmlentities() in the redirect header
>> >>>>> which made no sense IMO.
>> >>>>>
>> >>>>> As this is quite important code, i was waiting for someone in
>> >>>>> owncloud-dev to look at it together, but in the end i just committed
>> >>>>> this:
>> >>>>>
>> >>>>> http://gitorious.org/owncloud/owncloud/commit/ea33b4aaa104252ff344e93a
>> >>>>> 434e6c2eedcf438b/diffs/9b5e8a2c634e07d9c6e1693158e224eda7e5f673>>>>
>> >>>> This introduces a XSS bug.
>> >>>> Please revert
>> >>>>
>> >>>>> So maybe Georg or someone else should check if this is what was
>> >>>>> intended. At least it was broken before, and this commit fixes it.
>> >>>>> Have a nice release! tomorrow, right?
>> >>>>>
>> >>>>>
>> >>>>> cheers,
>> >>>>> Michiel
>> >>>>> _______________________________________________
>> >>>>> Owncloud mailing list
>> >>>>> Owncloud at kde.org
>> >>>>> https://mail.kde.org/mailman/listinfo/owncloud
>> >>>
>> >>> _______________________________________________
>> >>> Owncloud mailing list
>> >>> Owncloud at kde.org
>> >>> https://mail.kde.org/mailman/listinfo/owncloud
>>
>> _______________________________________________
>> Owncloud mailing list
>> Owncloud at kde.org
>> https://mail.kde.org/mailman/listinfo/owncloud

More information about the Owncloud mailing list