/[smeserver]/rpms/e-smith-manager/sme10/e-smith-manager-2.8.0-bz10167-emptyback.patch
ViewVC logotype

Annotation of /rpms/e-smith-manager/sme10/e-smith-manager-2.8.0-bz10167-emptyback.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Sun Mar 26 03:47:54 2017 UTC (7 years, 8 months ago) by unnilennium
Branch: MAIN
CVS Tags: e-smith-manager-2_8_0-18_el7_sme
* Sat Mar 25 2017 Jean-Philipe Pialasse <tests@pialasse.com> 2.8.0-18.sme
- avoid internal server error if empty back parameter [SME: 10167]
- return user friendly message

1 unnilennium 1.1 diff -Nur e-smith-manager-2.8.0.old/root/etc/e-smith/web/common/cgi-bin/login e-smith-manager-2.8.0/root/etc/e-smith/web/common/cgi-bin/login
2     --- e-smith-manager-2.8.0.old/root/etc/e-smith/web/common/cgi-bin/login 2017-03-25 23:40:27.418000000 -0400
3     +++ e-smith-manager-2.8.0/root/etc/e-smith/web/common/cgi-bin/login 2017-03-25 23:45:23.288000000 -0400
4     @@ -101,7 +101,7 @@
5     #warn "back from cgi param is $back\n" if $back;
6     $back ||= $ENV{HTTP_REFERER} if $ENV{HTTP_REFERER} && $BACK_REFERER;
7     $back = uri_unescape($back) if $back && $back =~ m/^https?%3A%2F%2F/i;
8     -$back =~ s/^http:/https:/ if $server_name ne 'localhost';
9     +$back =~ s/^http:/https:/ if $server_name ne 'localhost' && defined($back;
10     #warn "back is $back\n";
11     if ($back && $back =~ m!^/!) {
12     my $hostname = $server_name;
13     @@ -132,7 +132,10 @@
14     my $b = URI->new($back);
15     # If $back domain doesn't match $AUTH_DOMAIN, stop there do not give opportunity to log in
16     my $domain = $AUTH_DOMAIN || $server_name;
17     -if ($b->host !~ m/\b$domain$/i) {
18     +if (! defined($back)) {
19     + $fatal="Missing redirection parameter: \"back\" <br />\nPlease manually enter the address you were trying to reach if you followed a link.<br />\n";
20     +}
21     +if (defined($back) && $b->host !~ m/\b$domain$/i) {
22     $fatal="Bad redirection parameter: \"$back\" is not an authorized redirection.<br />\nYou may be experiencing an attack.<br />\nLogin is not possible on the above URL for your own security.<br />\nPlease manually enter the address you were trying to reach if you followed a link.";
23     }
24    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed