The foswiki svn repository will become read-only on Friday 8/8. Developers should register for a http://github.com/ account for commit access to foswiki.

Item1020: TemplateLogin corrupts origurl param

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Urgent Closed Engine    
Steps to reproduce:

  1. Configure foswiki to use TemplateLogin
  2. Try to edit a page without been logged in
  3. The login screen appears. Log in.
  4. If the login is successful, there is no problem
  5. Logout
  6. Try to edit a page
  7. Login screen: enter wrong credentials
  8. Login screen again: enter right credentials
  9. You are editing WebHome!

When TemplateLogin realizes that there is no logged in user, it redirects to login screen and pass origurl param. The login screen adds all parameters as hidden fields to preserve them. The origurl is handled in a different way: it is deleted from the request, so %QUERYPARAMS{...}% (at login.tmpl) doesn't add it as a hidden field. Then login.tmpl adds origurl parameter and defines it to %ORIGURL%, that is a session preference, defined at the end of Foswiki::LoginManager::TemplateLogin::login. Here is the problem: ORIGURL is defined as a url-encoded version of the original origurl param. That's OK to the first time. But after a fail, the already-encoded value is encoded again. From this moment on it's garbage.

Since hidden field values doesn't need to be url-encoded, I think the best solution is to define ORIGURL preference without encodings.

-- GilmarSantosJr - 07 Feb 2009

Hidden field values doesn't need to be url-encoded, but does need to be encoded (entity or safe). This way there is no XSS vector and the original problem doesn't reappear.

-- GilmarSantosJr - 09 Feb 2009

ItemTemplate edit

Summary TemplateLogin corrupts origurl param
ReportedBy GilmarSantosJr
Codebase
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Engine
Component
Priority Urgent
CurrentState Closed
WaitingFor
Checkins Foswikirev:2399 Foswikirev:2423
TargetRelease patch
ReleasedIn 1.0.1
Topic revision: r6 - 23 Feb 2009, KennethLavrsen
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License