On Fri, 2015-06-26 at 21:26 +0200, Lukas Fleischer wrote:
Cool, this is kind of what I expected! I wonder whether we can directly set a referer here, though? Shouldn't something like
get_uri('/login/', true) . '?referer=' . urlencode($uri)
work?
I can not make sense out of the "?referer" parameter, since my fix of FS#32481 uses $_SERVER['HTTP_REFERER'] and does not rely on an additional parameter to a GET request.
Having said that, I now see a potential problem with the GET parameter approach of implementing FS#32481. You could build a malicious login link that redirects to a certain page and send that link to a privileged user (i.e. a TU or a Developer). I am not aware of any action that cannot be undone and doesn't require any additional confirmation, so that probably isn't very critical. We should fix it anyway...
Since most of the relevant package actions are perform through POST req uests (which are redirected as GET requests), I could not think of any potential security issues. Furthermore the referer is partially checked for outgoing links: if (strpos($referer, aur_location()) !== 0) { $referer = '/'; }