Evergreen

TPAC login can redirect to external site using referer

Bug #1314827 reported by Jeff Davis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Evergreen
Fix Released
Medium
Unassigned
Evergreen 2.7.1
2.5
Fix Released
Undecided
Unassigned
Evergreen 2.6.4
2.6
Fix Released
Undecided
Unassigned
Evergreen 2.5.8

Bug Description

On /eg/opac/login, if no redirect_to param is provided, the TPAC will attempt to use the referer (if any) as the redirect destination. This leads to undesirable behavior if the referring URL is from an external site.

Example: Patron receives an overdue notice via email. The email includes a link to /eg/opac/login with no redirect_to param. Patron views the email in a webmail client and clicks on the link. In this case, upon successful login, the patron would be redirected to the URL of their webmail client, since that is the referring URL.

I've reproduced the issue on Evergreen 2.4, but the relevant code still exists in master. I'll push a proposed fix momentarily.

Tags: pullrequest
Revision history for this message
Jeff Davis (jdavis-sitka) wrote :

Fix pushed to user/jeffdavis/lp1314827-login-redirect-referer in the working repo:

http://git.evergreen-ils.org/?p=working/Evergreen.git;a=commitdiff;h=6599d1f

tags: added: pullrequest
Revision history for this message
Jeff Davis (jdavis-sitka) wrote :

The above fix assumes we should only do referer-based redirect if the referring URL is part of the TPAC.

Revision history for this message
Ben Shum (bshum) wrote :

I think we've seen this recently for folks who use their library website to link to the catalog, but if they don't put a full redirect path to the patron's my account or other specified page, they get sent back to their library website with https (which is fun when their site either doesn't have it or has an unmatched SSL cert) causing confusion.

Marking confirmed and adding initial review target in the 2.6 series. We may wish to consider backports to 2.5 series.

Changed in evergreen:
status: New → Confirmed
importance: Undecided → Medium
milestone: none → 2.6.1
Revision history for this message
Jeff Davis (jdavis-sitka) wrote :

I pushed the wrong version of this before. This commit, from branch user/jeffdavis/lp1314827-login-redirect-referer-2 in working.git, should merge cleanly into master:

http://git.evergreen-ils.org/?p=working/Evergreen.git;a=commitdiff;h=254a92c

Evergreen Bug Maintenance (bugmaster)
Changed in evergreen:
milestone: 2.6.1 → 2.6.2
Galen Charlton (gmc)
Changed in evergreen:
milestone: 2.6.3 → 2.6.4
Revision history for this message
Ben Shum (bshum) wrote :

Finally tested this and it helps me with situations I've seen where my libraries link from their websites to the login page directly and get redirected to the wrong place.

Pushed to master and backported for rel_2_7, rel_2_6, and rel_2_5.

Changed in evergreen:
milestone: 2.6.4 → 2.7.1
status: Confirmed → Fix Committed
Evergreen Bug Maintenance (bugmaster)
Changed in evergreen:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.