| 1 |
unnilennium |
1.1 |
diff -Nur e-smith-manager-2.2.0.old/root/etc/e-smith/web/common/cgi-bin/login e-smith-manager-2.2.0/root/etc/e-smith/web/common/cgi-bin/login |
| 2 |
|
|
--- e-smith-manager-2.2.0.old/root/etc/e-smith/web/common/cgi-bin/login 2014-02-18 01:29:31.000000000 -0500 |
| 3 |
|
|
+++ e-smith-manager-2.2.0/root/etc/e-smith/web/common/cgi-bin/login 2017-01-16 18:46:16.332000000 -0500 |
| 4 |
|
|
@@ -161,8 +161,7 @@ |
| 5 |
|
|
# If $back domain doesn't match $AUTH_DOMAIN, pass ticket via back GET param |
| 6 |
|
|
my $domain = $AUTH_DOMAIN || $server_name; |
| 7 |
|
|
if ($b->host !~ m/\b$domain$/i) { |
| 8 |
|
|
- $back .= $b->query ? '&' : '?'; |
| 9 |
|
|
- $back .= $at->cookie_name . '=' . $tkt; |
| 10 |
|
|
+ $fatal="Bad redirection parameter: \"$back\" is not an authorized redirection.<br />\nYou may be experiencing an attack.<br />\nLogin is not possible on the above URL for your own security.<br />\nPlease manually enter the address you were trying to reach if you followed a link."; |
| 11 |
|
|
} |
| 12 |
|
|
|
| 13 |
|
|
# For some reason, using a Location: header doesn't seem to then see the |
Parent Directory
| 
Revision Log
| 
Revision Graph
