* auth_internal OTP form: fix double-urlencode

* post-login redirect: handle ?return in a less idiotic fashion
2023-03-23 20:05:03 +03:00 · 2023-03-23 20:05:03 +03:00 · 563675de09
parent 0f9488ace0
commit 563675de09
2 changed files with 5 additions and 5 deletions
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@ -416,10 +416,10 @@ class Handler_Public extends Handler {
 				$_SESSION["login_error_msg"] ??= __("Incorrect username or password");
 			}
-			$return = clean($_REQUEST['return']);
+			$return = clean($_REQUEST['return'] ?? '');
-			if ($_REQUEST['return'] && mb_strpos($return, Config::get_self_url()) === 0) {
+			if ($return && mb_strpos($return, Config::get_self_url()) === 0) {
-				header("Location: " . clean($_REQUEST['return']));
+				header("Location: $return");
 			} else {
 				header("Location: " . Config::get_self_url());
 			}
--- a/plugins/auth_internal/init.php
+++ b/plugins/auth_internal/init.php
@ -36,7 +36,7 @@ class Auth_Internal extends Auth_Base {
 						return false;
 				} else {
-					$return = urlencode($_REQUEST["return"]);
+					$return = urlencode(with_trailing_slash($_REQUEST["return"]));
 					?>
 					<!DOCTYPE html>
 					<html>
@ -81,7 +81,7 @@ class Auth_Internal extends Auth_Base {
 							<body class="flat ttrss_utility otp css_loading">
 								<h1><?= __("Authentication") ?></h1>
 								<div class="content">
-									<form dojoType="dijit.form.Form" action="public.php?return=<?= urlencode(with_trailing_slash($return)) ?>" method="post" class="otpform">
+									<form dojoType="dijit.form.Form" action="public.php?return=<?= $return ?>" method="post" class="otpform">
 										<?php foreach (["login", "password", "bw_limit", "safe_mode", "remember_me", "profile"] as $key) {
 											print \Controls\hidden_tag($key, $_POST[$key] ?? "");