[Owncloud] fixed redirect to desired page after login
Georg Ehrke
ownclouddev at georgswebsite.de
Fri May 18 22:00:28 UTC 2012
Am 18.05.2012 um 23:09 schrieb Michael Gapczynski:
> On Friday, May 18, 2012 06:39:01 PM Michiel de Jong wrote:
>> for me it works if you remove htmlentities() on line 315 of lib/utils.php.
>>
>> To test, log out, then visit /?app=music&a=b
>>
>> Current master will make you go to /?app=music&a=b
>
> That worked for redirecting to apps, but it didn't work for redirecting to any
> of the settings pages that don't load off of index.php. That's why the login
> page also needs to look at $_REQUEST['redirect_url'].
>
> Redirects should be working and open redirects should be prevented in master.
>
Would it be enough to deny redirect_urls, which match a http(s) url pattern?
>
> Michael
>
>
>>
>> On Fri, May 18, 2012 at 6:32 PM, Michael Gapczynski <mtgap at owncloud.com>
> wrote:
>>> It seems that the redirect isn't working with or without sanitizing the
>>> redirect_url. I'm still trying to figure out what is going on with this.
>>>
>>> I know the tar-file is being generated today, but is there a specific
>>> time?
>>>
>>>
>>> Michael
>>>
>>> On Friday, May 18, 2012 03:42:24 PM Frank Karlitschek wrote:
>>>> Thanks :-)
>>>>
>>>> On 18.05.2012, at 15:41, Michiel de Jong <michiel at unhosted.org> wrote:
>>>>> ok, i put it back.
>>>>>
>>>>> this still needs to be fixed properly though.
>>>>>
>>>>> On Fri, May 18, 2012 at 3:36 PM, Frank Karlitschek <frank at owncloud.org>
>>>
>>> wrote:
>>>>>> Attackers can do evil stuff if you don't filer header entries.
>>>>>> This code was introduced as part of a security fix a few weeks ago.
>>>>>>
>>>>>> On 18.05.2012, at 15:20, Michiel de Jong <michiel at unhosted.org> wrote:
>>>>>>> how? it's a header() call.
>>>>>>>
>>>>>>> ah i just found MTGap on irc. thanks!
>>>>>>>
>>>>>>> On Fri, May 18, 2012 at 3:18 PM, Frank Karlitschek
>>>>>>> <frank at owncloud.org>
>>>
>>> wrote:
>>>>>>>> On 18.05.2012, at 15:16, Michiel de Jong <michiel at unhosted.org>
> wrote:
>>>>>>>>> Hi!
>>>>>>>>>
>>>>>>>>> Since the new routing, if the user is made to log in, we were
>>>>>>>>> always
>>>>>>>>> sending her to the 'files' app, not to the page where she actually
>>>>>>>>> wanted to go. There was also htmlentities() in the redirect header
>>>>>>>>> which made no sense IMO.
>>>>>>>>>
>>>>>>>>> As this is quite important code, i was waiting for someone in
>>>>>>>>> owncloud-dev to look at it together, but in the end i just
>>>>>>>>> committed
>>>>>>>>> this:
>>>>>>>>>
>>>>>>>>> http://gitorious.org/owncloud/owncloud/commit/ea33b4aaa104252ff344e
>>>>>>>>> 93a
>>>>>>>>> 434e6c2eedcf438b/diffs/9b5e8a2c634e07d9c6e1693158e224eda7e5f673>>>>
>>>>>>>>
>>>>>>>> This introduces a XSS bug.
>>>>>>>> Please revert
>>>>>>>>
>>>>>>>>> So maybe Georg or someone else should check if this is what was
>>>>>>>>> intended. At least it was broken before, and this commit fixes it.
>>>>>>>>> Have a nice release! tomorrow, right?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> cheers,
>>>>>>>>> Michiel
>>>>>>>>> _______________________________________________
>>>>>>>>> Owncloud mailing list
>>>>>>>>> Owncloud at kde.org
>>>>>>>>> https://mail.kde.org/mailman/listinfo/owncloud
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Owncloud mailing list
>>>>>>> Owncloud at kde.org
>>>>>>> https://mail.kde.org/mailman/listinfo/owncloud
>>>>
>>>> _______________________________________________
>>>> Owncloud mailing list
>>>> Owncloud at kde.org
>>>> https://mail.kde.org/mailman/listinfo/owncloud
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud
More information about the Owncloud
mailing list