Am 18.05.2012 um 23:09 schrieb Michael Gapczynski: > On Friday, May 18, 2012 06:39:01 PM Michiel de Jong wrote: >> for me it works if you remove htmlentities() on line 315 of lib/utils.php. >> >> To test, log out, then visit /?app=music&a=b >> >> Current master will make you go to /?app=music&a=b > > That worked for redirecting to apps, but it didn't work for redirecting to > any > of the settings pages that don't load off of index.php. That's why the login > page also needs to look at $_REQUEST['redirect_url']. > > Redirects should be working and open redirects should be prevented in master. > Would it be enough to deny redirect_urls, which match a http(s) url pattern? > > Michael > > >> >> On Fri, May 18, 2012 at 6:32 PM, Michael Gapczynski <[email protected]> > wrote: >>> It seems that the redirect isn't working with or without sanitizing the >>> redirect_url. I'm still trying to figure out what is going on with this. >>> >>> I know the tar-file is being generated today, but is there a specific >>> time? >>> >>> >>> Michael >>> >>> On Friday, May 18, 2012 03:42:24 PM Frank Karlitschek wrote: >>>> Thanks :-) >>>> >>>> On 18.05.2012, at 15:41, Michiel de Jong <[email protected]> wrote: >>>>> ok, i put it back. >>>>> >>>>> this still needs to be fixed properly though. >>>>> >>>>> On Fri, May 18, 2012 at 3:36 PM, Frank Karlitschek <[email protected]> >>> >>> wrote: >>>>>> Attackers can do evil stuff if you don't filer header entries. >>>>>> This code was introduced as part of a security fix a few weeks ago. >>>>>> >>>>>> On 18.05.2012, at 15:20, Michiel de Jong <[email protected]> wrote: >>>>>>> how? it's a header() call. >>>>>>> >>>>>>> ah i just found MTGap on irc. thanks! >>>>>>> >>>>>>> On Fri, May 18, 2012 at 3:18 PM, Frank Karlitschek >>>>>>> <[email protected]> >>> >>> wrote: >>>>>>>> On 18.05.2012, at 15:16, Michiel de Jong <[email protected]> > wrote: >>>>>>>>> Hi! >>>>>>>>> >>>>>>>>> Since the new routing, if the user is made to log in, we were >>>>>>>>> always >>>>>>>>> sending her to the 'files' app, not to the page where she actually >>>>>>>>> wanted to go. There was also htmlentities() in the redirect header >>>>>>>>> which made no sense IMO. >>>>>>>>> >>>>>>>>> As this is quite important code, i was waiting for someone in >>>>>>>>> owncloud-dev to look at it together, but in the end i just >>>>>>>>> committed >>>>>>>>> this: >>>>>>>>> >>>>>>>>> http://gitorious.org/owncloud/owncloud/commit/ea33b4aaa104252ff344e >>>>>>>>> 93a >>>>>>>>> 434e6c2eedcf438b/diffs/9b5e8a2c634e07d9c6e1693158e224eda7e5f673>>>> >>>>>>>> >>>>>>>> This introduces a XSS bug. >>>>>>>> Please revert >>>>>>>> >>>>>>>>> So maybe Georg or someone else should check if this is what was >>>>>>>>> intended. At least it was broken before, and this commit fixes it. >>>>>>>>> Have a nice release! tomorrow, right? >>>>>>>>> >>>>>>>>> >>>>>>>>> cheers, >>>>>>>>> Michiel >>>>>>>>> _______________________________________________ >>>>>>>>> Owncloud mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.kde.org/mailman/listinfo/owncloud >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Owncloud mailing list >>>>>>> [email protected] >>>>>>> https://mail.kde.org/mailman/listinfo/owncloud >>>> >>>> _______________________________________________ >>>> Owncloud mailing list >>>> [email protected] >>>> https://mail.kde.org/mailman/listinfo/owncloud > _______________________________________________ > Owncloud mailing list > [email protected] > https://mail.kde.org/mailman/listinfo/owncloud
_______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
