On Thu, 2015-06-25 at 07:42 +0200, Lukas Fleischer wrote:
On Fri, 19 Jun 2015 at 15:04:14, Lukas Fleischer wrote:
On Thu, 18 Jun 2015 at 21:28:17, Gordian Edenhofer wrote:
After the user was authenticated a redirect to the site which linked the user to the login page is done. This fixes FS#32481. --- web/html/login.php | 1 + web/lib/acctfuncs.inc.php | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/web/html/login.php b/web/html/login.php index f898a57..1b3a589 100644 --- a/web/html/login.php +++ b/web/html/login.php @@ -42,6 +42,7 @@ html_header('AUR ' . __("Login")); <p> <input type="submit" class="button" value="<?php print __("Login"); ?>" /> <a href="<?= get_uri('/passreset/') ?>">[<?= __('Forgot Password') ?>]</a> + <input id="id_referer" type="hidden" name="referer" value="<?= !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/'; ?>" />
Please use urlencode() to escape the value of $_SERVER['HTTP_REFERER'].
Also, I would prefer not setting the referer field at all if the HTTP header is not available:
<?php if (isset($_SERVER['HTTP_REFERER'])): ?> <input id="id_referer" type="hidden" name="referer" value="<?= urlencode($_SERVER['HTTP_REFERER']) ?>" /> <?php endif; ?>
It would be nice if we could avoid the use of HTTP referers but it seems like a good temporary solution. Thank you for implementing this, some more comments below. [...]
Gordian, are you going to submit a reworked version of this patch?
Sorry for the delay! I did send the patch a week ago, but it seems like my mail client did not do its job. (GMail marked the mail as send, though the mailman archive does not. I have no idea why.) I hope this reworded patch is in line with the expectations. Best regards, Gordian