On Friday, May 18, 2012 06:39:01 PM Michiel de Jong wrote: > for me it works if you remove htmlentities() on line 315 of lib/utils.php. > > To test, log out, then visit /?app=music&a=b > > Current master will make you go to /?app=music&a=b
That worked for redirecting to apps, but it didn't work for redirecting to any of the settings pages that don't load off of index.php. That's why the login page also needs to look at $_REQUEST['redirect_url']. Redirects should be working and open redirects should be prevented in master. Michael > > On Fri, May 18, 2012 at 6:32 PM, Michael Gapczynski <[email protected]> wrote: > > It seems that the redirect isn't working with or without sanitizing the > > redirect_url. I'm still trying to figure out what is going on with this. > > > > I know the tar-file is being generated today, but is there a specific > > time? > > > > > > Michael > > > > On Friday, May 18, 2012 03:42:24 PM Frank Karlitschek wrote: > >> Thanks :-) > >> > >> On 18.05.2012, at 15:41, Michiel de Jong <[email protected]> wrote: > >> > ok, i put it back. > >> > > >> > this still needs to be fixed properly though. > >> > > >> > On Fri, May 18, 2012 at 3:36 PM, Frank Karlitschek <[email protected]> > > > > wrote: > >> >> Attackers can do evil stuff if you don't filer header entries. > >> >> This code was introduced as part of a security fix a few weeks ago. > >> >> > >> >> On 18.05.2012, at 15:20, Michiel de Jong <[email protected]> wrote: > >> >>> how? it's a header() call. > >> >>> > >> >>> ah i just found MTGap on irc. thanks! > >> >>> > >> >>> On Fri, May 18, 2012 at 3:18 PM, Frank Karlitschek > >> >>> <[email protected]> > > > > wrote: > >> >>>> On 18.05.2012, at 15:16, Michiel de Jong <[email protected]> wrote: > >> >>>>> Hi! > >> >>>>> > >> >>>>> Since the new routing, if the user is made to log in, we were > >> >>>>> always > >> >>>>> sending her to the 'files' app, not to the page where she actually > >> >>>>> wanted to go. There was also htmlentities() in the redirect header > >> >>>>> which made no sense IMO. > >> >>>>> > >> >>>>> As this is quite important code, i was waiting for someone in > >> >>>>> owncloud-dev to look at it together, but in the end i just > >> >>>>> committed > >> >>>>> this: > >> >>>>> > >> >>>>> http://gitorious.org/owncloud/owncloud/commit/ea33b4aaa104252ff344e > >> >>>>> 93a > >> >>>>> 434e6c2eedcf438b/diffs/9b5e8a2c634e07d9c6e1693158e224eda7e5f673>>>> > >> >>>> > >> >>>> This introduces a XSS bug. > >> >>>> Please revert > >> >>>> > >> >>>>> So maybe Georg or someone else should check if this is what was > >> >>>>> intended. At least it was broken before, and this commit fixes it. > >> >>>>> Have a nice release! tomorrow, right? > >> >>>>> > >> >>>>> > >> >>>>> cheers, > >> >>>>> Michiel > >> >>>>> _______________________________________________ > >> >>>>> Owncloud mailing list > >> >>>>> [email protected] > >> >>>>> https://mail.kde.org/mailman/listinfo/owncloud > >> >>> > >> >>> _______________________________________________ > >> >>> Owncloud mailing list > >> >>> [email protected] > >> >>> https://mail.kde.org/mailman/listinfo/owncloud > >> > >> _______________________________________________ > >> Owncloud mailing list > >> [email protected] > >> https://mail.kde.org/mailman/listinfo/owncloud _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
