[Owncloud] fixed redirect to desired page after login

Michael Gapczynski mtgap at owncloud.com
Fri May 18 21:09:17 UTC 2012 

On Friday, May 18, 2012 06:39:01 PM Michiel de Jong wrote:
> for me it works if you remove htmlentities() on line 315 of lib/utils.php.
> 
> To test, log out, then visit /?app=music&a=b
> 
> Current master will make you go to /?app=music&a=b

That worked for redirecting to apps, but it didn't work for redirecting to any 
of the settings pages that don't load off of index.php. That's why the login 
page also needs to look at $_REQUEST['redirect_url'].

Redirects should be working and open redirects should be prevented in master.


Michael


> 
> On Fri, May 18, 2012 at 6:32 PM, Michael Gapczynski <mtgap at owncloud.com> 
wrote:
> > It seems that the redirect isn't working with or without sanitizing the
> > redirect_url. I'm still trying to figure out what is going on with this.
> > 
> > I know the tar-file is being generated today, but is there a specific
> > time?
> > 
> > 
> > Michael
> > 
> > On Friday, May 18, 2012 03:42:24 PM Frank Karlitschek wrote:
> >> Thanks :-)
> >> 
> >> On 18.05.2012, at 15:41, Michiel de Jong <michiel at unhosted.org> wrote:
> >> > ok, i put it back.
> >> > 
> >> > this still needs to be fixed properly though.
> >> > 
> >> > On Fri, May 18, 2012 at 3:36 PM, Frank Karlitschek <frank at owncloud.org>
> > 
> > wrote:
> >> >> Attackers can do evil stuff if you don't filer header entries.
> >> >> This code was introduced as part of a security fix a few weeks ago.
> >> >> 
> >> >> On 18.05.2012, at 15:20, Michiel de Jong <michiel at unhosted.org> wrote:
> >> >>> how? it's a header() call.
> >> >>> 
> >> >>> ah i just found MTGap on irc. thanks!
> >> >>> 
> >> >>> On Fri, May 18, 2012 at 3:18 PM, Frank Karlitschek
> >> >>> <frank at owncloud.org>
> > 
> > wrote:
> >> >>>> On 18.05.2012, at 15:16, Michiel de Jong <michiel at unhosted.org> 
wrote:
> >> >>>>> Hi!
> >> >>>>> 
> >> >>>>> Since the new routing, if the user is made to log in, we were
> >> >>>>> always
> >> >>>>> sending her to the 'files' app, not to the page where she actually
> >> >>>>> wanted to go. There was also htmlentities() in the redirect header
> >> >>>>> which made no sense IMO.
> >> >>>>> 
> >> >>>>> As this is quite important code, i was waiting for someone in
> >> >>>>> owncloud-dev to look at it together, but in the end i just
> >> >>>>> committed
> >> >>>>> this:
> >> >>>>> 
> >> >>>>> http://gitorious.org/owncloud/owncloud/commit/ea33b4aaa104252ff344e
> >> >>>>> 93a
> >> >>>>> 434e6c2eedcf438b/diffs/9b5e8a2c634e07d9c6e1693158e224eda7e5f673>>>>
> >> >>>> 
> >> >>>> This introduces a XSS bug.
> >> >>>> Please revert
> >> >>>> 
> >> >>>>> So maybe Georg or someone else should check if this is what was
> >> >>>>> intended. At least it was broken before, and this commit fixes it.
> >> >>>>> Have a nice release! tomorrow, right?
> >> >>>>> 
> >> >>>>> 
> >> >>>>> cheers,
> >> >>>>> Michiel
> >> >>>>> _______________________________________________
> >> >>>>> Owncloud mailing list
> >> >>>>> Owncloud at kde.org
> >> >>>>> https://mail.kde.org/mailman/listinfo/owncloud
> >> >>> 
> >> >>> _______________________________________________
> >> >>> Owncloud mailing list
> >> >>> Owncloud at kde.org
> >> >>> https://mail.kde.org/mailman/listinfo/owncloud
> >> 
> >> _______________________________________________
> >> Owncloud mailing list
> >> Owncloud at kde.org
> >> https://mail.kde.org/mailman/listinfo/owncloud

More information about the Owncloud mailing list