From 563675de095fef98a8eb2fc7b948845b6a693eb5 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Thu, 23 Mar 2023 20:05:03 +0300 Subject: * auth_internal OTP form: fix double-urlencode * post-login redirect: handle ?return in a less idiotic fashion --- classes/handler/public.php | 6 +++--- plugins/auth_internal/init.php | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/classes/handler/public.php b/classes/handler/public.php index d776e27cd..d7a7010fe 100755 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -416,10 +416,10 @@ class Handler_Public extends Handler { $_SESSION["login_error_msg"] ??= __("Incorrect username or password"); } - $return = clean($_REQUEST['return']); + $return = clean($_REQUEST['return'] ?? ''); - if ($_REQUEST['return'] && mb_strpos($return, Config::get_self_url()) === 0) { - header("Location: " . clean($_REQUEST['return'])); + if ($return && mb_strpos($return, Config::get_self_url()) === 0) { + header("Location: $return"); } else { header("Location: " . Config::get_self_url()); } diff --git a/plugins/auth_internal/init.php b/plugins/auth_internal/init.php index f113cd31e..697d0d0d2 100644 --- a/plugins/auth_internal/init.php +++ b/plugins/auth_internal/init.php @@ -36,7 +36,7 @@ class Auth_Internal extends Auth_Base { return false; } else { - $return = urlencode($_REQUEST["return"]); + $return = urlencode(with_trailing_slash($_REQUEST["return"])); ?> @@ -81,7 +81,7 @@ class Auth_Internal extends Auth_Base {

-
+