TPAC login can redirect to external site using referer
Bug #1314827 reported by
Jeff Davis
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Medium
|
Unassigned | ||
2.5 |
Fix Released
|
Undecided
|
Unassigned | ||
2.6 |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
On /eg/opac/login, if no redirect_to param is provided, the TPAC will attempt to use the referer (if any) as the redirect destination. This leads to undesirable behavior if the referring URL is from an external site.
Example: Patron receives an overdue notice via email. The email includes a link to /eg/opac/login with no redirect_to param. Patron views the email in a webmail client and clicks on the link. In this case, upon successful login, the patron would be redirected to the URL of their webmail client, since that is the referring URL.
I've reproduced the issue on Evergreen 2.4, but the relevant code still exists in master. I'll push a proposed fix momentarily.
Changed in evergreen: | |
milestone: | 2.6.1 → 2.6.2 |
Changed in evergreen: | |
milestone: | 2.6.3 → 2.6.4 |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Fix pushed to user/jeffdavis/ lp1314827- login-redirect- referer in the working repo:
http:// git.evergreen- ils.org/ ?p=working/ Evergreen. git;a=commitdif f;h=6599d1f