Item1020: TemplateLogin corrupts origurl param
Current State: Closed
Released In: 1.0.1
Target Release: patch
Applies To: Engine
Steps to reproduce:
- Configure foswiki to use
- Try to edit a page without been logged in
- The login screen appears. Log in.
- If the login is successful, there is no problem
- Try to edit a page
- Login screen: enter wrong credentials
- Login screen again: enter right credentials
- You are editing
realizes that there is no logged in user, it redirects to login screen and pass
param. The login screen adds all parameters as hidden fields to preserve them. The
is handled in a different way: it is deleted
from the request, so
(at login.tmpl) doesn't add it as a hidden field. Then
parameter and defines it to
, that is a session preference, defined at the end of
. Here is the problem:
is defined as a url-encoded version of the original
param. That's OK to the first time. But after a fail, the already-encoded value is encoded again. From this moment on it's garbage.
Since hidden field values doesn't need to be url-encoded, I think the best solution is to define
preference without encodings.
- 07 Feb 2009
Hidden field values doesn't need to be url-encoded, but does need
to be encoded (entity or safe). This way there is no XSS vector and the original problem doesn't reappear.
- 09 Feb 2009