valvin
/
ttrss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* auth_internal OTP form: fix double-urlencode 

* post-login redirect: handle ?return in a less idiotic fashion
This commit is contained in:
Andrew Dolgov 2023-03-23 20:05:03 +03:00
parent 0f9488ace0
commit 563675de09
No known key found for this signature in database
GPG Key ID: 1A56B4FA25D4AF2A
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
classes/handler/public.php
View File

@ -416,10 +416,10 @@ class Handler_Public extends Handler {
$_SESSION["login_error_msg"] ??= __("Incorrect username or password");
}
$return = clean($_REQUEST['return']);
$return = clean($_REQUEST['return'] ?? '');
if ($_REQUEST['return'] && mb_strpos($return, Config::get_self_url()) === 0) {
header("Location: " . clean($_REQUEST['return']));
if ($return && mb_strpos($return, Config::get_self_url()) === 0) {
header("Location: $return");
} else {
header("Location: " . Config::get_self_url());
}

4
plugins/auth_internal/init.php
View File

@ -36,7 +36,7 @@ class Auth_Internal extends Auth_Base {
return false;
} else {
$return = urlencode($_REQUEST["return"]);
$return = urlencode(with_trailing_slash($_REQUEST["return"]));
?>
<!DOCTYPE html>
<html>
@ -81,7 +81,7 @@ class Auth_Internal extends Auth_Base {
<body class="flat ttrss_utility otp css_loading">
<h1><?= __("Authentication") ?></h1>
<div class="content">
<form dojoType="dijit.form.Form" action="public.php?return=<?= urlencode(with_trailing_slash($return)) ?>" method="post" class="otpform">
<form dojoType="dijit.form.Form" action="public.php?return=<?= $return ?>" method="post" class="otpform">
<?php foreach (["login", "password", "bw_limit", "safe_mode", "remember_me", "profile"] as $key) {
print \Controls\hidden_tag($key, $_POST[$key] ?? "");