[aur-dev] [PATCH] Redirect back after login

canyonknight canyonknight at gmail.com
Mon Dec 17 17:44:03 EST 2012

On Mon, Dec 17, 2012 at 1:10 PM, Marcel Korpel <marcel.lists at gmail.com> wrote:
> On Sun, Dec 16, 2012 at 7:12 PM, canyonknight <canyonknight at gmail.com> wrote:
>> This implementation is susceptible to HTTP header injection.
> Ok. You mean in the current 'Location:' line without filtering 0x0a and 0x0d?

Response splitting shouldn't be an issue. PHP prevents multiple
headers from being sent at once in the header() function. I was
referring to the fact that it is an unsanitized $_GET variable being
used as a header. It can be manipulated and could redirect to a
website outside the AUR or some other clever attack.

That is one of the nice things about using a $_SESSION variable in
this case. The server could directly set the redirect location in a
$_SESSION variable without the user being able to tamper with it.

>> Also note
>> the usage of $_SERVER['REQUEST_URI'] had previously been eliminated
>> with commit 630f1cbae8473fb05e5f5af7244eccc60fe93812.
> If we can't trust $_SERVER['REQUEST_URI'], then how should we
> determine the current URL? Using $_SERVER['PATH_INFO'] and
> $_SERVER['QUERY_STRING']? Or are these also susceptible to
> manipulation?

Briefly, I always thought the following could be a decent solution:
- User is on a page and the route is saved as a $_SESSION variable
- User navigates to login page and logs in
- Login page uses the routing code to redirect to page saved in the
$_SESSION variable

I realize it isn't a GET parameter solution, but it is easy to do
securely. The only downside is if a user has multiple tabs open, it
will redirect to the last page opened. That and to implement properly
it would require a bit of work.



More information about the aur-dev mailing list