[Owncloud] fixed redirect to desired page after login

Fri May 18 22:37:42 UTC 2012

On Saturday, May 19, 2012 12:00:28 AM Georg Ehrke wrote:
> Am 18.05.2012 um 23:09 schrieb Michael Gapczynski:
> > On Friday, May 18, 2012 06:39:01 PM Michiel de Jong wrote:
> >> for me it works if you remove htmlentities() on line 315 of
> >> lib/utils.php.
> >> 
> >> To test, log out, then visit /?app=music&a=b
> >> 
> >> Current master will make you go to /?app=music&a=b
> > 
> > That worked for redirecting to apps, but it didn't work for redirecting to
> > any of the settings pages that don't load off of index.php. That's why
> > the login page also needs to look at $_REQUEST['redirect_url'].
> > 
> > Redirects should be working and open redirects should be prevented in
> > master.
> Would it be enough to deny redirect_urls, which match a http(s) url pattern?

I thought about that, but wouldn't that mean you'd also have to check for 
.com, .net, .org, etc. ?

> > Michael
> > 
> >> On Fri, May 18, 2012 at 6:32 PM, Michael Gapczynski <mtgap at owncloud.com>
> > 
> > wrote:
> >>> It seems that the redirect isn't working with or without sanitizing the
> >>> redirect_url. I'm still trying to figure out what is going on with this.
> >>> 
> >>> I know the tar-file is being generated today, but is there a specific
> >>> time?
> >>> 
> >>> 
> >>> Michael
> >>> 
> >>> On Friday, May 18, 2012 03:42:24 PM Frank Karlitschek wrote:
> >>>> Thanks :-)
> >>>> 
> >>>> On 18.05.2012, at 15:41, Michiel de Jong <michiel at unhosted.org> wrote:
> >>>>> ok, i put it back.
> >>>>> 
> >>>>> this still needs to be fixed properly though.
> >>>>> 
> >>>>> On Fri, May 18, 2012 at 3:36 PM, Frank Karlitschek
> >>>>> <frank at owncloud.org>
> >>> 
> >>> wrote:
> >>>>>> Attackers can do evil stuff if you don't filer header entries.
> >>>>>> This code was introduced as part of a security fix a few weeks ago.
> >>>>>> 
> >>>>>> On 18.05.2012, at 15:20, Michiel de Jong <michiel at unhosted.org> 
wrote:
> >>>>>>> how? it's a header() call.
> >>>>>>> 
> >>>>>>> ah i just found MTGap on irc. thanks!
> >>>>>>> 
> >>>>>>> On Fri, May 18, 2012 at 3:18 PM, Frank Karlitschek
> >>>>>>> <frank at owncloud.org>
> >>> 
> >>> wrote:
> >>>>>>>> On 18.05.2012, at 15:16, Michiel de Jong <michiel at unhosted.org>
> > 
> > wrote:
> >>>>>>>>> Hi!
> >>>>>>>>> 
> >>>>>>>>> Since the new routing, if the user is made to log in, we were
> >>>>>>>>> always
> >>>>>>>>> sending her to the 'files' app, not to the page where she actually
> >>>>>>>>> wanted to go. There was also htmlentities() in the redirect header
> >>>>>>>>> which made no sense IMO.
> >>>>>>>>> 
> >>>>>>>>> As this is quite important code, i was waiting for someone in
> >>>>>>>>> owncloud-dev to look at it together, but in the end i just
> >>>>>>>>> committed
> >>>>>>>>> this:
> >>>>>>>>> 
> >>>>>>>>> http://gitorious.org/owncloud/owncloud/commit/ea33b4aaa104252ff344
> >>>>>>>>> e
> >>>>>>>>> 93a
> >>>>>>>>> 434e6c2eedcf438b/diffs/9b5e8a2c634e07d9c6e1693158e224eda7e5f673>>>
> >>>>>>>>> >
> >>>>>>>> 
> >>>>>>>> This introduces a XSS bug.
> >>>>>>>> Please revert
> >>>>>>>> 
> >>>>>>>>> So maybe Georg or someone else should check if this is what was
> >>>>>>>>> intended. At least it was broken before, and this commit fixes it.
> >>>>>>>>> Have a nice release! tomorrow, right?
> >>>>>>>>> 
> >>>>>>>>> 
> >>>>>>>>> cheers,
> >>>>>>>>> Michiel
> >>>>>>>>> _______________________________________________
> >>>>>>>>> Owncloud mailing list
> >>>>>>>>> Owncloud at kde.org
> >>>>>>>>> https://mail.kde.org/mailman/listinfo/owncloud
> >>>>>>> 
> >>>>>>> _______________________________________________
> >>>>>>> Owncloud mailing list
> >>>>>>> Owncloud at kde.org
> >>>>>>> https://mail.kde.org/mailman/listinfo/owncloud
> >>>> 
> >>>> _______________________________________________
> >>>> Owncloud mailing list
> >>>> Owncloud at kde.org
> >>>> https://mail.kde.org/mailman/listinfo/owncloud
> > 
> > _______________________________________________
> > Owncloud mailing list
> > Owncloud at kde.org
> > https://mail.kde.org/mailman/listinfo/owncloud