e-smith-manager/sme9/e-smith-manager-2.6.0-bz10187-emptyback.patch

diff -Nur e-smith-manager-2.8.0.old/root/etc/e-smith/web/common/cgi-bin/login e-smith-manager-2.8.0/root/etc/e-smith/web/common/cgi-bin/login
--- e-smith-manager-2.8.0.old/root/etc/e-smith/web/common/cgi-bin/login 2017-03-25 23:40:27.418000000 -0400
+++ e-smith-manager-2.8.0/root/etc/e-smith/web/common/cgi-bin/login     2017-03-25 23:45:23.288000000 -0400
@@ -101,7 +101,7 @@
 #warn "back from cgi param is $back\n" if $back;
 $back ||= $ENV{HTTP_REFERER} if $ENV{HTTP_REFERER} && $BACK_REFERER;
 $back = uri_unescape($back) if $back && $back =~ m/^https?%3A%2F%2F/i;
-$back =~ s/^http:/https:/ if $server_name ne 'localhost';
+$back =~ s/^http:/https:/ if $server_name ne 'localhost' && defined($back);
 #warn "back is $back\n";
 if ($back && $back =~ m!^/!) {
   my $hostname = $server_name;
@@ -132,7 +132,10 @@
 my $b = URI->new($back);
 # If $back domain doesn't match $AUTH_DOMAIN, stop there do not give opportunity to log in
 my $domain = $AUTH_DOMAIN || $server_name;
-if ($b->host !~ m/\b$domain$/i) {
+if (! defined($back)) {
+    $fatal="Missing redirection parameter: \"back\" <br />\nPlease manually enter the address you were trying to reach if you followed a link.<br />\n";
+}
+if (defined($back) && $b->host !~ m/\b$domain$/i) {
     $fatal="Bad redirection parameter: \"$back\" is not an authorized redirection.<br />\nYou may be experiencing an attack.<br />\nLogin is not possible on the above URL for your own security.<br />\nPlease manually enter the address you were trying to reach if you followed a link.";
   }
 
1	diff -Nur e-smith-manager-2.8.0.old/root/etc/e-smith/web/common/cgi-bin/login e-smith-manager-2.8.0/root/etc/e-smith/web/common/cgi-bin/login
2	--- e-smith-manager-2.8.0.old/root/etc/e-smith/web/common/cgi-bin/login 2017-03-25 23:40:27.418000000 -0400
3	+++ e-smith-manager-2.8.0/root/etc/e-smith/web/common/cgi-bin/login 2017-03-25 23:45:23.288000000 -0400
4	@@ -101,7 +101,7 @@
5	#warn "back from cgi param is $back\n" if $back;
6	$back \|\|= $ENV{HTTP_REFERER} if $ENV{HTTP_REFERER} && $BACK_REFERER;
7	$back = uri_unescape($back) if $back && $back =~ m/^https?%3A%2F%2F/i;
8	-$back =~ s/^http:/https:/ if $server_name ne 'localhost';
9	+$back =~ s/^http:/https:/ if $server_name ne 'localhost' && defined($back);
10	#warn "back is $back\n";
11	if ($back && $back =~ m!^/!) {
12	my $hostname = $server_name;
13	@@ -132,7 +132,10 @@
14	my $b = URI->new($back);
15	# If $back domain doesn't match $AUTH_DOMAIN, stop there do not give opportunity to log in
16	my $domain = $AUTH_DOMAIN \|\| $server_name;
17	-if ($b->host !~ m/\b$domain$/i) {
18	+if (! defined($back)) {
19	+ $fatal="Missing redirection parameter: \"back\" <br />\nPlease manually enter the address you were trying to reach if you followed a link.<br />\n";
20	+}
21	+if (defined($back) && $b->host !~ m/\b$domain$/i) {
22	$fatal="Bad redirection parameter: \"$back\" is not an authorized redirection.<br />\nYou may be experiencing an attack.<br />\nLogin is not possible on the above URL for your own security.<br />\nPlease manually enter the address you were trying to reach if you followed a link.";
23	}
24