Thanks :-) On 18.05.2012, at 15:41, Michiel de Jong <[email protected]> wrote:
> ok, i put it back. > > this still needs to be fixed properly though. > > On Fri, May 18, 2012 at 3:36 PM, Frank Karlitschek <[email protected]> wrote: >> Attackers can do evil stuff if you don't filer header entries. >> This code was introduced as part of a security fix a few weeks ago. >> >> >> >> On 18.05.2012, at 15:20, Michiel de Jong <[email protected]> wrote: >> >>> how? it's a header() call. >>> >>> ah i just found MTGap on irc. thanks! >>> >>> On Fri, May 18, 2012 at 3:18 PM, Frank Karlitschek <[email protected]> >>> wrote: >>>> >>>> On 18.05.2012, at 15:16, Michiel de Jong <[email protected]> wrote: >>>> >>>>> Hi! >>>>> >>>>> Since the new routing, if the user is made to log in, we were always >>>>> sending her to the 'files' app, not to the page where she actually >>>>> wanted to go. There was also htmlentities() in the redirect header >>>>> which made no sense IMO. >>>>> >>>>> As this is quite important code, i was waiting for someone in >>>>> owncloud-dev to look at it together, but in the end i just committed >>>>> this: >>>>> >>>>> http://gitorious.org/owncloud/owncloud/commit/ea33b4aaa104252ff344e93a434e6c2eedcf438b/diffs/9b5e8a2c634e07d9c6e1693158e224eda7e5f673 >>>>> >>>> >>>> This introduces a XSS bug. >>>> Please revert >>>> >>>> >>>>> So maybe Georg or someone else should check if this is what was >>>>> intended. At least it was broken before, and this commit fixes it. >>>>> Have a nice release! tomorrow, right? >>>>> >>>>> >>>>> cheers, >>>>> Michiel >>>>> _______________________________________________ >>>>> Owncloud mailing list >>>>> [email protected] >>>>> https://mail.kde.org/mailman/listinfo/owncloud >>>> >>> _______________________________________________ >>> Owncloud mailing list >>> [email protected] >>> https://mail.kde.org/mailman/listinfo/owncloud >> _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
