[Owncloud] fixed redirect to desired page after login

Fri May 18 22:50:57 UTC 2012

Am 19.05.2012 um 00:37 schrieb Michael Gapczynski:

> On Saturday, May 19, 2012 12:00:28 AM Georg Ehrke wrote:
>> Am 18.05.2012 um 23:09 schrieb Michael Gapczynski:
>>> On Friday, May 18, 2012 06:39:01 PM Michiel de Jong wrote:
>>>> for me it works if you remove htmlentities() on line 315 of
>>>> lib/utils.php.
>>>> 
>>>> To test, log out, then visit /?app=music&a=b
>>>> 
>>>> Current master will make you go to /?app=music&a=b
>>> 
>>> That worked for redirecting to apps, but it didn't work for redirecting to
>>> any of the settings pages that don't load off of index.php. That's why
>>> the login page also needs to look at $_REQUEST['redirect_url'].
It's actually working for me. Open Redirect is also denied.
>>> 
>>> Redirects should be working and open redirects should be prevented in
>>> master.
>> Would it be enough to deny redirect_urls, which match a http(s) url pattern?
> 
> I thought about that, but wouldn't that mean you'd also have to check for 
> .com, .net, .org, etc. ?

Just: 
if(preg_match('|^http(s)?://[a-z0-9-]+(.[a-z0-9-]+)*(:[0-9]+)?(/.*)?$|i', $_GET['redirect)){
//deny
}

>>> Michael
>>> 
>>>> On Fri, May 18, 2012 at 6:32 PM, Michael Gapczynski <mtgap at owncloud.com>
>>> 
>>> wrote:
>>>>> It seems that the redirect isn't working with or without sanitizing the
>>>>> redirect_url. I'm still trying to figure out what is going on with this.
>>>>> 
>>>>> I know the tar-file is being generated today, but is there a specific
>>>>> time?
>>>>> 
>>>>> 
>>>>> Michael
>>>>> 
>>>>> On Friday, May 18, 2012 03:42:24 PM Frank Karlitschek wrote:
>>>>>> Thanks :-)
>>>>>> 
>>>>>> On 18.05.2012, at 15:41, Michiel de Jong <michiel at unhosted.org> wrote:
>>>>>>> ok, i put it back.
>>>>>>> 
>>>>>>> this still needs to be fixed properly though.
>>>>>>> 
>>>>>>> On Fri, May 18, 2012 at 3:36 PM, Frank Karlitschek
>>>>>>> <frank at owncloud.org>
>>>>> 
>>>>> wrote:
>>>>>>>> Attackers can do evil stuff if you don't filer header entries.
>>>>>>>> This code was introduced as part of a security fix a few weeks ago.
>>>>>>>> 
>>>>>>>> On 18.05.2012, at 15:20, Michiel de Jong <michiel at unhosted.org> 
> wrote:
>>>>>>>>> how? it's a header() call.
>>>>>>>>> 
>>>>>>>>> ah i just found MTGap on irc. thanks!
>>>>>>>>> 
>>>>>>>>> On Fri, May 18, 2012 at 3:18 PM, Frank Karlitschek
>>>>>>>>> <frank at owncloud.org>
>>>>> 
>>>>> wrote:
>>>>>>>>>> On 18.05.2012, at 15:16, Michiel de Jong <michiel at unhosted.org>
>>> 
>>> wrote:
>>>>>>>>>>> Hi!
>>>>>>>>>>> 
>>>>>>>>>>> Since the new routing, if the user is made to log in, we were
>>>>>>>>>>> always
>>>>>>>>>>> sending her to the 'files' app, not to the page where she actually
>>>>>>>>>>> wanted to go. There was also htmlentities() in the redirect header
>>>>>>>>>>> which made no sense IMO.
>>>>>>>>>>> 
>>>>>>>>>>> As this is quite important code, i was waiting for someone in
>>>>>>>>>>> owncloud-dev to look at it together, but in the end i just
>>>>>>>>>>> committed
>>>>>>>>>>> this:
>>>>>>>>>>> 
>>>>>>>>>>> http://gitorious.org/owncloud/owncloud/commit/ea33b4aaa104252ff344
>>>>>>>>>>> e
>>>>>>>>>>> 93a
>>>>>>>>>>> 434e6c2eedcf438b/diffs/9b5e8a2c634e07d9c6e1693158e224eda7e5f673>>>
>>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> This introduces a XSS bug.
>>>>>>>>>> Please revert
>>>>>>>>>> 
>>>>>>>>>>> So maybe Georg or someone else should check if this is what was
>>>>>>>>>>> intended. At least it was broken before, and this commit fixes it.
>>>>>>>>>>> Have a nice release! tomorrow, right?
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> cheers,
>>>>>>>>>>> Michiel
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Owncloud mailing list
>>>>>>>>>>> Owncloud at kde.org
>>>>>>>>>>> https://mail.kde.org/mailman/listinfo/owncloud
>>>>>>>>> 
>>>>>>>>> _______________________________________________
>>>>>>>>> Owncloud mailing list
>>>>>>>>> Owncloud at kde.org
>>>>>>>>> https://mail.kde.org/mailman/listinfo/owncloud
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Owncloud mailing list
>>>>>> Owncloud at kde.org
>>>>>> https://mail.kde.org/mailman/listinfo/owncloud
>>> 
>>> _______________________________________________
>>> Owncloud mailing list
>>> Owncloud at kde.org
>>> https://mail.kde.org/mailman/listinfo/owncloud