[aur-dev] [PATCH] Redirect at previous page after a successful login
After the user was authenticated a redirect to the site which linked the user to the login page is done. This fixes FS#32481. --- web/html/login.php | 1 + web/lib/acctfuncs.inc.php | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/web/html/login.php b/web/html/login.php index f898a57..1b3a589 100644 --- a/web/html/login.php +++ b/web/html/login.php @@ -42,6 +42,7 @@ html_header('AUR ' . __("Login")); <p> <input type="submit" class="button" value="<?php print __("Login"); ?>" /> <a href="<?= get_uri('/passreset/') ?>">[<?= __('Forgot Password') ?>]</a> + <input id="id_referer" type="hidden" name="referer" value="<?= !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/'; ?>" /> </p> </fieldset> </form> diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 20ac081..127a991 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -544,7 +544,20 @@ function try_login() { } setcookie("AURSID", $new_sid, $cookie_time, "/", null, !empty($_SERVER['HTTPS']), true); - header("Location: " . get_uri('/')); + + /** + * Check whether the site itself refered here and if so refer back to its origin + * + * One major drawback is that POST request are not handled properly, the only possible + * solution I could think of is to use JavaScript to auto submit a hidden form, though + * it would slow down the page load time and would require js for a successful redirect. + * This hard dependcy is not somehtings I want to implement since this problem is too + * minor for such an agressive approach IMHO. + */ + $referer = !empty($_REQUEST['referer']) ? $_REQUEST['referer'] : '/'; + $aur_location = aur_location(); + $referer = strpos($referer, $aur_location) === 0 ? $referer : '/'; + header("Location: " . get_uri( $referer )); $login_error = ""; } -- 2.4.4
* Gordian Edenhofer <gordian.edenhofer@gmail.com> (Thu, 18 Jun 2015 21:28:17 +0200):
After the user was authenticated a redirect to the site which linked the user to the login page is done. This fixes FS#32481. --- […] + <input id="id_referer" type="hidden" name="referer" value="<?= !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/'; ?>" /> </p> </fieldset>
You should use htmlspecialchars here, &s should be encoded as & etc. But I fear this method has the same drawback as mine: the user can tamper with those hidden form fields.
On Thu, 18 Jun 2015 at 21:28:17, Gordian Edenhofer wrote:
After the user was authenticated a redirect to the site which linked the user to the login page is done. This fixes FS#32481. --- web/html/login.php | 1 + web/lib/acctfuncs.inc.php | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/web/html/login.php b/web/html/login.php index f898a57..1b3a589 100644 --- a/web/html/login.php +++ b/web/html/login.php @@ -42,6 +42,7 @@ html_header('AUR ' . __("Login")); <p> <input type="submit" class="button" value="<?php print __("Login"); ?>" /> <a href="<?= get_uri('/passreset/') ?>">[<?= __('Forgot Password') ?>]</a> + <input id="id_referer" type="hidden" name="referer" value="<?= !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/'; ?>" />
Please use urlencode() to escape the value of $_SERVER['HTTP_REFERER']. Also, I would prefer not setting the referer field at all if the HTTP header is not available: <?php if (isset($_SERVER['HTTP_REFERER'])): ?> <input id="id_referer" type="hidden" name="referer" value="<?= urlencode($_SERVER['HTTP_REFERER']) ?>" /> <?php endif; ?> It would be nice if we could avoid the use of HTTP referers but it seems like a good temporary solution. Thank you for implementing this, some more comments below.
</p> </fieldset> </form> diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 20ac081..127a991 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -544,7 +544,20 @@ function try_login() { }
setcookie("AURSID", $new_sid, $cookie_time, "/", null, !empty($_SERVER['HTTPS']), true); - header("Location: " . get_uri('/')); + + /** + * Check whether the site itself refered here and if so refer back to its origin + * + * One major drawback is that POST request are not handled properly, the only possible + * solution I could think of is to use JavaScript to auto submit a hidden form, though + * it would slow down the page load time and would require js for a successful redirect. + * This hard dependcy is not somehtings I want to implement since this problem is too + * minor for such an agressive approach IMHO. + */
This comment doesn't really belong here. You could have added it below the "---" marker that follows the commit message. I am also not quite sure which issue you are referring to here. Are you talking about the problem described in FS#31882 [1]?
+ $referer = !empty($_REQUEST['referer']) ? $_REQUEST['referer'] : '/';
You can use the in_request() helper function here.
+ $aur_location = aur_location();
No need for an extra variable here. Just call aur_location() in the line below.
+ $referer = strpos($referer, $aur_location) === 0 ? $referer : '/';
I'd prefer parenthesis around the comparison here. Maybe even use an if-block for improved readability?
+ header("Location: " . get_uri( $referer ));
Style: No spaces before and after the parameter list, please.
$login_error = ""; }
-- 2.4.4
* Lukas Fleischer <lfleischer@archlinux.org> (Fri, 19 Jun 2015 15:04:14 +0200):
+ <input id="id_referer" type="hidden" name="referer" value="<?= !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/'; ?>" />
Please use urlencode() to escape the value of $_SERVER['HTTP_REFERER'].
With due respect, I think you're wrong here: he is not writing a URL parameter, but an HTML attribute. The URL-encoding has already been taken into account by the browser at this point. Please test it with a tag you create with a UTF-8 character in it, click on it to open a search result page and then login and view the source. Best, Marcel
On Fri, 19 Jun 2015 at 15:50:57, Marcel Korpel wrote:
* Lukas Fleischer <lfleischer@archlinux.org> (Fri, 19 Jun 2015 15:04:14 +0200):
+ <input id="id_referer" type="hidden" name="referer" value="<?= !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/'; ?>" />
Please use urlencode() to escape the value of $_SERVER['HTTP_REFERER'].
With due respect, I think you're wrong here: he is not writing a URL parameter, but an HTML attribute. The URL-encoding has already been taken into account by the browser at this point. [...]
Yeah, you're right. Good catch! It should be htmlspecialchars($_SERVER['HTTP_REFERER'], ENT_QUOTES) then.
On Fri, 19 Jun 2015 at 15:04:14, Lukas Fleischer wrote:
On Thu, 18 Jun 2015 at 21:28:17, Gordian Edenhofer wrote:
After the user was authenticated a redirect to the site which linked the user to the login page is done. This fixes FS#32481. --- web/html/login.php | 1 + web/lib/acctfuncs.inc.php | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/web/html/login.php b/web/html/login.php index f898a57..1b3a589 100644 --- a/web/html/login.php +++ b/web/html/login.php @@ -42,6 +42,7 @@ html_header('AUR ' . __("Login")); <p> <input type="submit" class="button" value="<?php print __("Login"); ?>" /> <a href="<?= get_uri('/passreset/') ?>">[<?= __('Forgot Password') ?>]</a> + <input id="id_referer" type="hidden" name="referer" value="<?= !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/'; ?>" />
Please use urlencode() to escape the value of $_SERVER['HTTP_REFERER'].
Also, I would prefer not setting the referer field at all if the HTTP header is not available:
<?php if (isset($_SERVER['HTTP_REFERER'])): ?> <input id="id_referer" type="hidden" name="referer" value="<?= urlencode($_SERVER['HTTP_REFERER']) ?>" /> <?php endif; ?>
It would be nice if we could avoid the use of HTTP referers but it seems like a good temporary solution. Thank you for implementing this, some more comments below. [...]
Gordian, are you going to submit a reworked version of this patch?
On Thu, 2015-06-25 at 07:42 +0200, Lukas Fleischer wrote:
On Fri, 19 Jun 2015 at 15:04:14, Lukas Fleischer wrote:
On Thu, 18 Jun 2015 at 21:28:17, Gordian Edenhofer wrote:
After the user was authenticated a redirect to the site which linked the user to the login page is done. This fixes FS#32481. --- web/html/login.php | 1 + web/lib/acctfuncs.inc.php | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/web/html/login.php b/web/html/login.php index f898a57..1b3a589 100644 --- a/web/html/login.php +++ b/web/html/login.php @@ -42,6 +42,7 @@ html_header('AUR ' . __("Login")); <p> <input type="submit" class="button" value="<?php print __("Login"); ?>" /> <a href="<?= get_uri('/passreset/') ?>">[<?= __('Forgot Password') ?>]</a> + <input id="id_referer" type="hidden" name="referer" value="<?= !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/'; ?>" />
Please use urlencode() to escape the value of $_SERVER['HTTP_REFERER'].
Also, I would prefer not setting the referer field at all if the HTTP header is not available:
<?php if (isset($_SERVER['HTTP_REFERER'])): ?> <input id="id_referer" type="hidden" name="referer" value="<?= urlencode($_SERVER['HTTP_REFERER']) ?>" /> <?php endif; ?>
It would be nice if we could avoid the use of HTTP referers but it seems like a good temporary solution. Thank you for implementing this, some more comments below. [...]
Gordian, are you going to submit a reworked version of this patch?
Sorry for the delay! I did send the patch a week ago, but it seems like my mail client did not do its job. (GMail marked the mail as send, though the mailman archive does not. I have no idea why.) I hope this reworded patch is in line with the expectations. Best regards, Gordian
participants (3)
-
Gordian Edenhofer
-
Lukas Fleischer
-
Marcel Korpel