On Saturday, May 19, 2012 12:00:28 AM Georg Ehrke wrote: > Am 18.05.2012 um 23:09 schrieb Michael Gapczynski: > > On Friday, May 18, 2012 06:39:01 PM Michiel de Jong wrote: > >> for me it works if you remove htmlentities() on line 315 of > >> lib/utils.php. > >> > >> To test, log out, then visit /?app=music&a=b > >> > >> Current master will make you go to /?app=music&a=b > > > > That worked for redirecting to apps, but it didn't work for redirecting to > > any of the settings pages that don't load off of index.php. That's why > > the login page also needs to look at $_REQUEST['redirect_url']. > > > > Redirects should be working and open redirects should be prevented in > > master. > Would it be enough to deny redirect_urls, which match a http(s) url pattern?
I thought about that, but wouldn't that mean you'd also have to check for .com, .net, .org, etc. ? > > Michael > > > >> On Fri, May 18, 2012 at 6:32 PM, Michael Gapczynski <[email protected]> > > > > wrote: > >>> It seems that the redirect isn't working with or without sanitizing the > >>> redirect_url. I'm still trying to figure out what is going on with this. > >>> > >>> I know the tar-file is being generated today, but is there a specific > >>> time? > >>> > >>> > >>> Michael > >>> > >>> On Friday, May 18, 2012 03:42:24 PM Frank Karlitschek wrote: > >>>> Thanks :-) > >>>> > >>>> On 18.05.2012, at 15:41, Michiel de Jong <[email protected]> wrote: > >>>>> ok, i put it back. > >>>>> > >>>>> this still needs to be fixed properly though. > >>>>> > >>>>> On Fri, May 18, 2012 at 3:36 PM, Frank Karlitschek > >>>>> <[email protected]> > >>> > >>> wrote: > >>>>>> Attackers can do evil stuff if you don't filer header entries. > >>>>>> This code was introduced as part of a security fix a few weeks ago. > >>>>>> > >>>>>> On 18.05.2012, at 15:20, Michiel de Jong <[email protected]> wrote: > >>>>>>> how? it's a header() call. > >>>>>>> > >>>>>>> ah i just found MTGap on irc. thanks! > >>>>>>> > >>>>>>> On Fri, May 18, 2012 at 3:18 PM, Frank Karlitschek > >>>>>>> <[email protected]> > >>> > >>> wrote: > >>>>>>>> On 18.05.2012, at 15:16, Michiel de Jong <[email protected]> > > > > wrote: > >>>>>>>>> Hi! > >>>>>>>>> > >>>>>>>>> Since the new routing, if the user is made to log in, we were > >>>>>>>>> always > >>>>>>>>> sending her to the 'files' app, not to the page where she actually > >>>>>>>>> wanted to go. There was also htmlentities() in the redirect header > >>>>>>>>> which made no sense IMO. > >>>>>>>>> > >>>>>>>>> As this is quite important code, i was waiting for someone in > >>>>>>>>> owncloud-dev to look at it together, but in the end i just > >>>>>>>>> committed > >>>>>>>>> this: > >>>>>>>>> > >>>>>>>>> http://gitorious.org/owncloud/owncloud/commit/ea33b4aaa104252ff344 > >>>>>>>>> e > >>>>>>>>> 93a > >>>>>>>>> 434e6c2eedcf438b/diffs/9b5e8a2c634e07d9c6e1693158e224eda7e5f673>>> > >>>>>>>>> > > >>>>>>>> > >>>>>>>> This introduces a XSS bug. > >>>>>>>> Please revert > >>>>>>>> > >>>>>>>>> So maybe Georg or someone else should check if this is what was > >>>>>>>>> intended. At least it was broken before, and this commit fixes it. > >>>>>>>>> Have a nice release! tomorrow, right? > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> cheers, > >>>>>>>>> Michiel > >>>>>>>>> _______________________________________________ > >>>>>>>>> Owncloud mailing list > >>>>>>>>> [email protected] > >>>>>>>>> https://mail.kde.org/mailman/listinfo/owncloud > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> Owncloud mailing list > >>>>>>> [email protected] > >>>>>>> https://mail.kde.org/mailman/listinfo/owncloud > >>>> > >>>> _______________________________________________ > >>>> Owncloud mailing list > >>>> [email protected] > >>>> https://mail.kde.org/mailman/listinfo/owncloud > > > > _______________________________________________ > > Owncloud mailing list > > [email protected] > > https://mail.kde.org/mailman/listinfo/owncloud _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
