diff options
author | Andrew Dolgov <[email protected]> | 2023-03-23 20:05:03 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2023-03-23 20:05:03 +0300 |
commit | 563675de095fef98a8eb2fc7b948845b6a693eb5 (patch) | |
tree | 0ac411774dc2fd65dae380d772ee55dd5e9fa1a3 | |
parent | 0f9488ace075b62bbc38ca77ce5a1b7c881a3a3e (diff) |
* auth_internal OTP form: fix double-urlencode
* post-login redirect: handle ?return in a less idiotic fashion
-rwxr-xr-x | classes/handler/public.php | 6 | ||||
-rw-r--r-- | plugins/auth_internal/init.php | 4 |
2 files changed, 5 insertions, 5 deletions
diff --git a/classes/handler/public.php b/classes/handler/public.php index d776e27cd..d7a7010fe 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -416,10 +416,10 @@ class Handler_Public extends Handler { $_SESSION["login_error_msg"] ??= __("Incorrect username or password"); } - $return = clean($_REQUEST['return']); + $return = clean($_REQUEST['return'] ?? ''); - if ($_REQUEST['return'] && mb_strpos($return, Config::get_self_url()) === 0) { - header("Location: " . clean($_REQUEST['return'])); + if ($return && mb_strpos($return, Config::get_self_url()) === 0) { + header("Location: $return"); } else { header("Location: " . Config::get_self_url()); } diff --git a/plugins/auth_internal/init.php b/plugins/auth_internal/init.php index f113cd31e..697d0d0d2 100644 --- a/plugins/auth_internal/init.php +++ b/plugins/auth_internal/init.php @@ -36,7 +36,7 @@ class Auth_Internal extends Auth_Base { return false; } else { - $return = urlencode($_REQUEST["return"]); + $return = urlencode(with_trailing_slash($_REQUEST["return"])); ?> <!DOCTYPE html> <html> @@ -81,7 +81,7 @@ class Auth_Internal extends Auth_Base { <body class="flat ttrss_utility otp css_loading"> <h1><?= __("Authentication") ?></h1> <div class="content"> - <form dojoType="dijit.form.Form" action="public.php?return=<?= urlencode(with_trailing_slash($return)) ?>" method="post" class="otpform"> + <form dojoType="dijit.form.Form" action="public.php?return=<?= $return ?>" method="post" class="otpform"> <?php foreach (["login", "password", "bw_limit", "safe_mode", "remember_me", "profile"] as $key) { print \Controls\hidden_tag($key, $_POST[$key] ?? ""); |