| 1 |
unnilennium |
1.1 |
diff -Nur e-smith-manager-2.8.0.old/root/etc/e-smith/web/common/cgi-bin/login e-smith-manager-2.8.0/root/etc/e-smith/web/common/cgi-bin/login |
| 2 |
|
|
--- e-smith-manager-2.8.0.old/root/etc/e-smith/web/common/cgi-bin/login 2017-03-25 23:40:27.418000000 -0400 |
| 3 |
|
|
+++ e-smith-manager-2.8.0/root/etc/e-smith/web/common/cgi-bin/login 2017-03-25 23:45:23.288000000 -0400 |
| 4 |
|
|
@@ -101,7 +101,7 @@ |
| 5 |
|
|
#warn "back from cgi param is $back\n" if $back; |
| 6 |
|
|
$back ||= $ENV{HTTP_REFERER} if $ENV{HTTP_REFERER} && $BACK_REFERER; |
| 7 |
|
|
$back = uri_unescape($back) if $back && $back =~ m/^https?%3A%2F%2F/i; |
| 8 |
|
|
-$back =~ s/^http:/https:/ if $server_name ne 'localhost'; |
| 9 |
|
|
+$back =~ s/^http:/https:/ if $server_name ne 'localhost' && defined($back; |
| 10 |
|
|
#warn "back is $back\n"; |
| 11 |
|
|
if ($back && $back =~ m!^/!) { |
| 12 |
|
|
my $hostname = $server_name; |
| 13 |
|
|
@@ -132,7 +132,10 @@ |
| 14 |
|
|
my $b = URI->new($back); |
| 15 |
|
|
# If $back domain doesn't match $AUTH_DOMAIN, stop there do not give opportunity to log in |
| 16 |
|
|
my $domain = $AUTH_DOMAIN || $server_name; |
| 17 |
|
|
-if ($b->host !~ m/\b$domain$/i) { |
| 18 |
|
|
+if (! defined($back)) { |
| 19 |
|
|
+ $fatal="Missing redirection parameter: \"back\" <br />\nPlease manually enter the address you were trying to reach if you followed a link.<br />\n"; |
| 20 |
|
|
+} |
| 21 |
|
|
+if (defined($back) && $b->host !~ m/\b$domain$/i) { |
| 22 |
|
|
$fatal="Bad redirection parameter: \"$back\" is not an authorized redirection.<br />\nYou may be experiencing an attack.<br />\nLogin is not possible on the above URL for your own security.<br />\nPlease manually enter the address you were trying to reach if you followed a link."; |
| 23 |
|
|
} |
| 24 |
|
|
|
Parent Directory
| 
Revision Log
| 
Revision Graph
