Item1020: TemplateLogin corrupts origurl param

pencil
Priority: Urgent
Current State: Closed
Released In: 1.0.1
Target Release: patch
Applies To: Engine
Component:
Branches:
Reported By: GilmarSantosJr
Waiting For:
Last Change By: KennethLavrsen
Steps to reproduce:

  1. Configure foswiki to use TemplateLogin
  2. Try to edit a page without been logged in
  3. The login screen appears. Log in.
  4. If the login is successful, there is no problem
  5. Logout
  6. Try to edit a page
  7. Login screen: enter wrong credentials
  8. Login screen again: enter right credentials
  9. You are editing WebHome!

When TemplateLogin realizes that there is no logged in user, it redirects to login screen and pass origurl param. The login screen adds all parameters as hidden fields to preserve them. The origurl is handled in a different way: it is deleted from the request, so %QUERYPARAMS{...}% (at login.tmpl) doesn't add it as a hidden field. Then login.tmpl adds origurl parameter and defines it to %ORIGURL%, that is a session preference, defined at the end of Foswiki::LoginManager::TemplateLogin::login. Here is the problem: ORIGURL is defined as a url-encoded version of the original origurl param. That's OK to the first time. But after a fail, the already-encoded value is encoded again. From this moment on it's garbage.

Since hidden field values doesn't need to be url-encoded, I think the best solution is to define ORIGURL preference without encodings.

-- GilmarSantosJr - 07 Feb 2009

Hidden field values doesn't need to be url-encoded, but does need to be encoded (entity or safe). This way there is no XSS vector and the original problem doesn't reappear.

-- GilmarSantosJr - 09 Feb 2009

ItemTemplate edit

Summary TemplateLogin corrupts origurl param
ReportedBy GilmarSantosJr
Codebase
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Engine
Component
Priority Urgent
CurrentState Closed
WaitingFor
Checkins distro:74f916973ea6 distro:4d696558a9d4
TargetRelease patch
ReleasedIn 1.0.1
Topic revision: r6 - 23 Feb 2009, KennethLavrsen
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy