Item10064: redirectto in Rename broken since 1.1

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Urgent Closed Engine   OliverKrueger
While comparing a 1.0.9 and a 1.1.2 installation, I discovered that the redirectto url param is not working anymore.

Looking at Foswiki::UI::Rename::rename() makes me think, that its not handled at all.

Unless somebody points me to some code deeper in the core, which takes care of that, I will add some code directly in UI::Rename.

-- OliverKrueger - 22 Nov 2010

We are experiencing the same problem here. No redirect on rename. Once in 1.0.9 working wiki applications fail to rewrite after a rename.

-- AndreLichtsteiner - 29 Nov 2010

Oliver: Foswiki.pm, sub redirectto

-- CrawfordCurrie - 29 Nov 2010

So, if I understand right, the code is all here.

Is there a configuration parameter that needs update in order to redirect to a http:// url after rename?

Here a hack I managed to get to work:
--- /lib/Foswiki/UI/Rename.pm   Mon Nov 29 15:15:32 2010
+++ /lib/Foswiki/UI/Rename.pm orig   Wed Nov 10 01:29:12 2010
@@ -305,8 +305,2 @@
 
-    my $redirectto = $query->param('redirectto') || '';
-    
-    if ($redirectto) {
-       $new_url = $query->param('redirectto');
-    }
-
     return $new_url;
-- AndreLichtsteiner - 29 Nov 2010

Yep, except the param should be gated through Foswiki::redirectto to handle web.topic notation aswell.

-- OliverKrueger - 29 Nov 2010

AndreLichtsteiner reports "unsafe" redirects. Its possible to redirect to http://google.com/ although that URL is not in the PermittedFooList.

-- OliverKrueger - 29 Nov 2010

Nevermind my edit, I'm opening a new Task as it seems sufficiently different in nature

-- KiltBear - 03 Jan 2011

Is this task okay to close/release in 1.1.3, or is there a security issue with unsafe redirects? If I try the following on 1.1.3, I get an oops warning about unsafe redirect:

http://some.foswiki.com/rename/Sandbox/TestTopic0?redirectto=http://google.com
...
Attention

Access check on Main.WebHome failed. Action "redirect": unsafe redirect to ARRAY(0x84f7020): host does not match {DefaultUrlHost} , and is not in {PermittedRedirectHostUrls}"http://some.foswiki.com/".

The ARRAY operand suggests that there is something not quite right though. Raising to urgent to verify that there is not an issue with unsafe urls and I'm not recreating the correct test case.

-- GeorgeClark - 09 Mar 2011

The url parameter was not being retrieved from the $query - Works if retrieved from CGI. Verified that unsafe-redirect it caught if the destination is not in the list of authorized hosts.

-- GeorgeClark - 12 Mar 2011
 
Topic revision: r15 - 16 Apr 2011, KennethLavrsen
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License