diff options
author | ArthurHoaro <arthur@hoa.ro> | 2015-07-29 15:32:41 +0200 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2015-08-07 16:26:38 +0200 |
commit | 5fbabbb9be44711837a1be595c069381574aa84b (patch) | |
tree | 09f07e69ebd7e1b6cacf8d59826ffb88ced828de | |
parent | b282fffa238deb41fe0aae6fe6ea68bb2b43c78e (diff) | |
download | Shaarli-5fbabbb9be44711837a1be595c069381574aa84b.tar.gz Shaarli-5fbabbb9be44711837a1be595c069381574aa84b.tar.zst Shaarli-5fbabbb9be44711837a1be595c069381574aa84b.zip |
Fixes #299: prevent 404 on '?edit_link' while logged out
- add a use case for edit_link in logged out part.
- *really* prevent loops on login screen.
-rwxr-xr-x[-rw-r--r--] | index.php | 43 |
1 files changed, 36 insertions, 7 deletions
@@ -445,12 +445,30 @@ if (isset($_POST['login'])) | |||
445 | session_set_cookie_params(0,$cookiedir,$_SERVER['SERVER_NAME']); // 0 means "When browser closes" | 445 | session_set_cookie_params(0,$cookiedir,$_SERVER['SERVER_NAME']); // 0 means "When browser closes" |
446 | session_regenerate_id(true); | 446 | session_regenerate_id(true); |
447 | } | 447 | } |
448 | |||
448 | // Optional redirect after login: | 449 | // Optional redirect after login: |
449 | if (isset($_GET['post'])) { header('Location: ?post='.urlencode($_GET['post']).(!empty($_GET['title'])?'&title='.urlencode($_GET['title']):'').(!empty($_GET['description'])?'&description='.urlencode($_GET['description']):'').(!empty($_GET['source'])?'&source='.urlencode($_GET['source']):'')); exit; } | 450 | if (isset($_GET['post'])) { |
450 | if (isset($_POST['returnurl'])) | 451 | $uri = '?post='. urlencode($_GET['post']); |
451 | { | 452 | foreach (array('description', 'source', 'title') as $param) { |
452 | if (endsWith($_POST['returnurl'],'?do=login')) { header('Location: ?'); exit; } // Prevent loops over login screen. | 453 | if (!empty($_GET[$param])) { |
453 | header('Location: '.$_POST['returnurl']); exit; | 454 | $uri .= '&'.$param.'='.urlencode($_GET[$param]); |
455 | } | ||
456 | } | ||
457 | header('Location: '. $uri); | ||
458 | exit; | ||
459 | } | ||
460 | |||
461 | if (isset($_GET['edit_link'])) { | ||
462 | header('Location: ?edit_link='. escape($_GET['edit_link'])); | ||
463 | exit; | ||
464 | } | ||
465 | |||
466 | if (isset($_POST['returnurl'])) { | ||
467 | // Prevent loops over login screen. | ||
468 | if (strpos($_POST['returnurl'], 'do=login') === false) { | ||
469 | header('Location: '. escape($_POST['returnurl'])); | ||
470 | exit; | ||
471 | } | ||
454 | } | 472 | } |
455 | header('Location: ?'); exit; | 473 | header('Location: ?'); exit; |
456 | } | 474 | } |
@@ -458,7 +476,14 @@ if (isset($_POST['login'])) | |||
458 | { | 476 | { |
459 | ban_loginFailed(); | 477 | ban_loginFailed(); |
460 | $redir = ''; | 478 | $redir = ''; |
461 | if (isset($_GET['post'])) { $redir = '&post='.urlencode($_GET['post']).(!empty($_GET['title'])?'&title='.urlencode($_GET['title']):'').(!empty($_GET['description'])?'&description='.urlencode($_GET['description']):'').(!empty($_GET['source'])?'&source='.urlencode($_GET['source']):''); } | 479 | if (isset($_GET['post'])) { |
480 | $redir = '?post=' . urlencode($_GET['post']); | ||
481 | foreach (array('description', 'source', 'title') as $param) { | ||
482 | if (!empty($_GET[$param])) { | ||
483 | $redir .= '&' . $param . '=' . urlencode($_GET[$param]); | ||
484 | } | ||
485 | } | ||
486 | } | ||
462 | echo '<script>alert("Wrong login/password.");document.location=\'?do=login'.$redir.'\';</script>'; // Redirect to login screen. | 487 | echo '<script>alert("Wrong login/password.");document.location=\'?do=login'.$redir.'\';</script>'; // Redirect to login screen. |
463 | exit; | 488 | exit; |
464 | } | 489 | } |
@@ -1219,6 +1244,11 @@ function renderPage() | |||
1219 | exit; | 1244 | exit; |
1220 | } | 1245 | } |
1221 | 1246 | ||
1247 | if (isset($_GET['edit_link'])) { | ||
1248 | header('Location: ?do=login&edit_link='. escape($_GET['edit_link'])); | ||
1249 | exit; | ||
1250 | } | ||
1251 | |||
1222 | $PAGE = new pageBuilder; | 1252 | $PAGE = new pageBuilder; |
1223 | buildLinkList($PAGE,$LINKSDB); // Compute list of links to display | 1253 | buildLinkList($PAGE,$LINKSDB); // Compute list of links to display |
1224 | $PAGE->renderPage('linklist'); | 1254 | $PAGE->renderPage('linklist'); |
@@ -1488,7 +1518,6 @@ function renderPage() | |||
1488 | { | 1518 | { |
1489 | $url=$_GET['post']; | 1519 | $url=$_GET['post']; |
1490 | 1520 | ||
1491 | |||
1492 | // We remove the annoying parameters added by FeedBurner, GoogleFeedProxy, Facebook... | 1521 | // We remove the annoying parameters added by FeedBurner, GoogleFeedProxy, Facebook... |
1493 | $annoyingpatterns = array('/[\?&]utm_source=[^&]*/', | 1522 | $annoyingpatterns = array('/[\?&]utm_source=[^&]*/', |
1494 | '/[\?&]utm_campaign=[^&]*/', | 1523 | '/[\?&]utm_campaign=[^&]*/', |