It seems that the redirect isn't working with or without sanitizing the redirect_url. I'm still trying to figure out what is going on with this.
I know the tar-file is being generated today, but is there a specific time? Michael On Friday, May 18, 2012 03:42:24 PM Frank Karlitschek wrote: > Thanks :-) > > On 18.05.2012, at 15:41, Michiel de Jong <[email protected]> wrote: > > ok, i put it back. > > > > this still needs to be fixed properly though. > > > > On Fri, May 18, 2012 at 3:36 PM, Frank Karlitschek <[email protected]> wrote: > >> Attackers can do evil stuff if you don't filer header entries. > >> This code was introduced as part of a security fix a few weeks ago. > >> > >> On 18.05.2012, at 15:20, Michiel de Jong <[email protected]> wrote: > >>> how? it's a header() call. > >>> > >>> ah i just found MTGap on irc. thanks! > >>> > >>> On Fri, May 18, 2012 at 3:18 PM, Frank Karlitschek <[email protected]> wrote: > >>>> On 18.05.2012, at 15:16, Michiel de Jong <[email protected]> wrote: > >>>>> Hi! > >>>>> > >>>>> Since the new routing, if the user is made to log in, we were always > >>>>> sending her to the 'files' app, not to the page where she actually > >>>>> wanted to go. There was also htmlentities() in the redirect header > >>>>> which made no sense IMO. > >>>>> > >>>>> As this is quite important code, i was waiting for someone in > >>>>> owncloud-dev to look at it together, but in the end i just committed > >>>>> this: > >>>>> > >>>>> http://gitorious.org/owncloud/owncloud/commit/ea33b4aaa104252ff344e93a > >>>>> 434e6c2eedcf438b/diffs/9b5e8a2c634e07d9c6e1693158e224eda7e5f673>>>> > >>>> This introduces a XSS bug. > >>>> Please revert > >>>> > >>>>> So maybe Georg or someone else should check if this is what was > >>>>> intended. At least it was broken before, and this commit fixes it. > >>>>> Have a nice release! tomorrow, right? > >>>>> > >>>>> > >>>>> cheers, > >>>>> Michiel > >>>>> _______________________________________________ > >>>>> Owncloud mailing list > >>>>> [email protected] > >>>>> https://mail.kde.org/mailman/listinfo/owncloud > >>> > >>> _______________________________________________ > >>> Owncloud mailing list > >>> [email protected] > >>> https://mail.kde.org/mailman/listinfo/owncloud > > _______________________________________________ > Owncloud mailing list > [email protected] > https://mail.kde.org/mailman/listinfo/owncloud _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
