/[smeserver]/rpms/e-smith-manager/sme10/e-smith-manager-2.8.0-bz10167-emptyback.patch
ViewVC logotype

Contents of /rpms/e-smith-manager/sme10/e-smith-manager-2.8.0-bz10167-emptyback.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Sun Mar 26 03:47:54 2017 UTC (7 years, 8 months ago) by unnilennium
Branch: MAIN
CVS Tags: e-smith-manager-2_8_0-18_el7_sme
* Sat Mar 25 2017 Jean-Philipe Pialasse <tests@pialasse.com> 2.8.0-18.sme
- avoid internal server error if empty back parameter [SME: 10167]
- return user friendly message

1 diff -Nur e-smith-manager-2.8.0.old/root/etc/e-smith/web/common/cgi-bin/login e-smith-manager-2.8.0/root/etc/e-smith/web/common/cgi-bin/login
2 --- e-smith-manager-2.8.0.old/root/etc/e-smith/web/common/cgi-bin/login 2017-03-25 23:40:27.418000000 -0400
3 +++ e-smith-manager-2.8.0/root/etc/e-smith/web/common/cgi-bin/login 2017-03-25 23:45:23.288000000 -0400
4 @@ -101,7 +101,7 @@
5 #warn "back from cgi param is $back\n" if $back;
6 $back ||= $ENV{HTTP_REFERER} if $ENV{HTTP_REFERER} && $BACK_REFERER;
7 $back = uri_unescape($back) if $back && $back =~ m/^https?%3A%2F%2F/i;
8 -$back =~ s/^http:/https:/ if $server_name ne 'localhost';
9 +$back =~ s/^http:/https:/ if $server_name ne 'localhost' && defined($back;
10 #warn "back is $back\n";
11 if ($back && $back =~ m!^/!) {
12 my $hostname = $server_name;
13 @@ -132,7 +132,10 @@
14 my $b = URI->new($back);
15 # If $back domain doesn't match $AUTH_DOMAIN, stop there do not give opportunity to log in
16 my $domain = $AUTH_DOMAIN || $server_name;
17 -if ($b->host !~ m/\b$domain$/i) {
18 +if (! defined($back)) {
19 + $fatal="Missing redirection parameter: \"back\" <br />\nPlease manually enter the address you were trying to reach if you followed a link.<br />\n";
20 +}
21 +if (defined($back) && $b->host !~ m/\b$domain$/i) {
22 $fatal="Bad redirection parameter: \"$back\" is not an authorized redirection.<br />\nYou may be experiencing an attack.<br />\nLogin is not possible on the above URL for your own security.<br />\nPlease manually enter the address you were trying to reach if you followed a link.";
23 }
24

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed