Item1020: TemplateLogin corrupts origurl param
Priority: Urgent
Current State: Closed
Released In: 1.0.1
Target Release: patch
Applies To: Engine
Component:
Branches:
Steps to reproduce:
- Configure foswiki to use
TemplateLogin
- Try to edit a page without been logged in
- The login screen appears. Log in.
- If the login is successful, there is no problem
- Logout
- Try to edit a page
- Login screen: enter wrong credentials
- Login screen again: enter right credentials
- You are editing
WebHome
!
When
TemplateLogin
realizes that there is no logged in user, it redirects to login screen and pass
origurl
param. The login screen adds all parameters as hidden fields to preserve them. The
origurl
is handled in a different way: it is
deleted from the request, so
%QUERYPARAMS{...}%
(at login.tmpl) doesn't add it as a hidden field. Then
login.tmpl
adds
origurl
parameter and defines it to
%ORIGURL%
, that is a session preference, defined at the end of
Foswiki::LoginManager::TemplateLogin::login
. Here is the problem:
ORIGURL
is defined as a url-encoded version of the original
origurl
param. That's OK to the first time. But after a fail, the already-encoded value is encoded again. From this moment on it's garbage.
Since hidden field values doesn't need to be url-encoded, I think the best solution is to define
ORIGURL
preference without encodings.
--
GilmarSantosJr - 07 Feb 2009
Hidden field values doesn't need to be url-encoded, but
does need to be encoded (entity or safe). This way there is no XSS vector and the original problem doesn't reappear.
--
GilmarSantosJr - 09 Feb 2009