e-smith-manager/sme10/e-smith-manager-2.8.0-bz9924-badredirection.patch

--- e-smith-manager-2.8.0.old/root/etc/e-smith/web/common/cgi-bin/login 2017-01-16 18:52:49.634000000 -0500
+++ e-smith-manager-2.8.0/root/etc/e-smith/web/common/cgi-bin/login     2017-01-19 18:43:52.664000000 -0500
@@ -129,6 +129,13 @@
 my $ip_addr = $at->ignore_ip ? undef : $ENV{REMOTE_ADDR};
 my $redirected = 0;
 
+my $b = URI->new($back);
+# If $back domain doesn't match $AUTH_DOMAIN, stop there do not give opportunity to log in
+my $domain = $AUTH_DOMAIN || $server_name;
+if ($b->host !~ m/\b$domain$/i) {
+    $fatal="Bad redirection parameter: \"$back\" is not an authorized redirection.<br />\nYou may be experiencing an attack.<br />\nLogin is not possible on the above URL for your own security.<br />\nPlease manually enter the address you were trying to reach if you followed a link.";
+  }
+
 # ------------------------------------------------------------------------
 # Set the auth cookie and redirect to $back
 my $set_cookie_redirect = sub {
@@ -156,14 +163,6 @@
   print $q->header( -cookie => $cookie );
 #return 0 if $debug;
 
-  my $b = URI->new($back);
-  # If $back domain doesn't match $AUTH_DOMAIN, pass ticket via back GET param
-  my $domain = $AUTH_DOMAIN || $server_name;
-  if ($b->host !~ m/\b$domain$/i) {
-    $back .= $b->query ? '&' : '?';
-    $back .= $at->cookie_name . '=' . $tkt;
-  }
-
   # For some reason, using a Location: header doesn't seem to then see the 
   #   cookie, but a meta refresh one does - weird
   print $q->start_html(
1	unnilennium	1.1	--- e-smith-manager-2.8.0.old/root/etc/e-smith/web/common/cgi-bin/login 2017-01-16 18:52:49.634000000 -0500
2	unnilennium	1.2	+++ e-smith-manager-2.8.0/root/etc/e-smith/web/common/cgi-bin/login 2017-01-19 18:43:52.664000000 -0500
3			@@ -129,6 +129,13 @@
4			my $ip_addr = $at->ignore_ip ? undef : $ENV{REMOTE_ADDR};
5			my $redirected = 0;
6
7			+my $b = URI->new($back);
8			+# If $back domain doesn't match $AUTH_DOMAIN, stop there do not give opportunity to log in
9			+my $domain = $AUTH_DOMAIN \|\| $server_name;
10			+if ($b->host !~ m/\b$domain$/i) {
11			+ $fatal="Bad redirection parameter: \"$back\" is not an authorized redirection.<br />\nYou may be experiencing an attack.<br />\nLogin is not possible on the above URL for your own security.<br />\nPlease manually enter the address you were trying to reach if you followed a link.";
12			+ }
13			+
14			# ------------------------------------------------------------------------
15			# Set the auth cookie and redirect to $back
16			my $set_cookie_redirect = sub {
17			@@ -156,14 +163,6 @@
18			print $q->header( -cookie => $cookie );
19			#return 0 if $debug;
20
21			- my $b = URI->new($back);
22			- # If $back domain doesn't match $AUTH_DOMAIN, pass ticket via back GET param
23			- my $domain = $AUTH_DOMAIN \|\| $server_name;
24			- if ($b->host !~ m/\b$domain$/i) {
25	unnilennium	1.1	- $back .= $b->query ? '&' : '?';
26			- $back .= $at->cookie_name . '=' . $tkt;
27	unnilennium	1.2	- }
28			-
29	unnilennium	1.1	# For some reason, using a Location: header doesn't seem to then see the
30	unnilennium	1.2	# cookie, but a meta refresh one does - weird
31			print $q->start_html(