LP#1314827: On login, don't allow referer-based redirect to external site
authorJeff Davis <jdavis@sitka.bclibraries.ca>
Fri, 16 May 2014 22:14:43 +0000 (15:14 -0700)
committerBen Shum <bshum@biblio.org>
Fri, 3 Oct 2014 06:19:22 +0000 (02:19 -0400)
On /eg/opac/login, if no redirect_to param is provided, the TPAC will
attempt to use the referer (if any) as the redirect destination. This
leads to undesirable behavior if the referring URL is from an external
site.

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
Signed-off-by: Ben Shum <bshum@biblio.org>
Open-ILS/src/templates/opac/parts/login/form.tt2

index 2861fa0..9b13f58 100644 (file)
         </div>
         <div style="clear: both; padding-top: 15px;">
         [%
         </div>
         <div style="clear: both; padding-top: 15px;">
         [%
+            redirect = CGI.param('redirect_to');
+            # Don't use referer unless we got here from elsewhere within the TPAC
+            IF !redirect AND ctx.referer.match('^https?://' _ ctx.hostname _ ctx.opac_root);
+                redirect = ctx.referer;
+            END;
             # If no redirect is offered or it's leading us back to the
             # login form, redirect the user to My Account
             # If no redirect is offered or it's leading us back to the
             # login form, redirect the user to My Account
-            redirect = CGI.param('redirect_to') || ctx.referer;
             IF !redirect OR redirect.match(ctx.path_info _ '$');
                 redirect = CGI.url('-full' => 1) _ '/opac/myopac/main';
             END;
             IF !redirect OR redirect.match(ctx.path_info _ '$');
                 redirect = CGI.url('-full' => 1) _ '/opac/myopac/main';
             END;