diff options
| author | ArthurHoaro <arthur@hoa.ro> | 2015-07-29 15:32:41 +0200 |
|---|---|---|
| committer | ArthurHoaro <arthur@hoa.ro> | 2015-08-07 16:26:38 +0200 |
| commit | 5fbabbb9be44711837a1be595c069381574aa84b (patch) | |
| tree | 09f07e69ebd7e1b6cacf8d59826ffb88ced828de | |
| parent | b282fffa238deb41fe0aae6fe6ea68bb2b43c78e (diff) | |
| download | Shaarli-5fbabbb9be44711837a1be595c069381574aa84b.tar.gz Shaarli-5fbabbb9be44711837a1be595c069381574aa84b.tar.zst Shaarli-5fbabbb9be44711837a1be595c069381574aa84b.zip | |
Fixes #299: prevent 404 on '?edit_link' while logged out
- add a use case for edit_link in logged out part.
- *really* prevent loops on login screen.
| -rwxr-xr-x[-rw-r--r--] | index.php | 43 |
1 files changed, 36 insertions, 7 deletions
| @@ -445,12 +445,30 @@ if (isset($_POST['login'])) | |||
| 445 | session_set_cookie_params(0,$cookiedir,$_SERVER['SERVER_NAME']); // 0 means "When browser closes" | 445 | session_set_cookie_params(0,$cookiedir,$_SERVER['SERVER_NAME']); // 0 means "When browser closes" |
| 446 | session_regenerate_id(true); | 446 | session_regenerate_id(true); |
| 447 | } | 447 | } |
| 448 | |||
| 448 | // Optional redirect after login: | 449 | // Optional redirect after login: |
| 449 | if (isset($_GET['post'])) { header('Location: ?post='.urlencode($_GET['post']).(!empty($_GET['title'])?'&title='.urlencode($_GET['title']):'').(!empty($_GET['description'])?'&description='.urlencode($_GET['description']):'').(!empty($_GET['source'])?'&source='.urlencode($_GET['source']):'')); exit; } | 450 | if (isset($_GET['post'])) { |
| 450 | if (isset($_POST['returnurl'])) | 451 | $uri = '?post='. urlencode($_GET['post']); |
| 451 | { | 452 | foreach (array('description', 'source', 'title') as $param) { |
| 452 | if (endsWith($_POST['returnurl'],'?do=login')) { header('Location: ?'); exit; } // Prevent loops over login screen. | 453 | if (!empty($_GET[$param])) { |
| 453 | header('Location: '.$_POST['returnurl']); exit; | 454 | $uri .= '&'.$param.'='.urlencode($_GET[$param]); |
| 455 | } | ||
| 456 | } | ||
| 457 | header('Location: '. $uri); | ||
| 458 | exit; | ||
| 459 | } | ||
| 460 | |||
| 461 | if (isset($_GET['edit_link'])) { | ||
| 462 | header('Location: ?edit_link='. escape($_GET['edit_link'])); | ||
| 463 | exit; | ||
| 464 | } | ||
| 465 | |||
| 466 | if (isset($_POST['returnurl'])) { | ||
| 467 | // Prevent loops over login screen. | ||
| 468 | if (strpos($_POST['returnurl'], 'do=login') === false) { | ||
| 469 | header('Location: '. escape($_POST['returnurl'])); | ||
| 470 | exit; | ||
| 471 | } | ||
| 454 | } | 472 | } |
| 455 | header('Location: ?'); exit; | 473 | header('Location: ?'); exit; |
| 456 | } | 474 | } |
| @@ -458,7 +476,14 @@ if (isset($_POST['login'])) | |||
| 458 | { | 476 | { |
| 459 | ban_loginFailed(); | 477 | ban_loginFailed(); |
| 460 | $redir = ''; | 478 | $redir = ''; |
| 461 | if (isset($_GET['post'])) { $redir = '&post='.urlencode($_GET['post']).(!empty($_GET['title'])?'&title='.urlencode($_GET['title']):'').(!empty($_GET['description'])?'&description='.urlencode($_GET['description']):'').(!empty($_GET['source'])?'&source='.urlencode($_GET['source']):''); } | 479 | if (isset($_GET['post'])) { |
| 480 | $redir = '?post=' . urlencode($_GET['post']); | ||
| 481 | foreach (array('description', 'source', 'title') as $param) { | ||
| 482 | if (!empty($_GET[$param])) { | ||
| 483 | $redir .= '&' . $param . '=' . urlencode($_GET[$param]); | ||
| 484 | } | ||
| 485 | } | ||
| 486 | } | ||
| 462 | echo '<script>alert("Wrong login/password.");document.location=\'?do=login'.$redir.'\';</script>'; // Redirect to login screen. | 487 | echo '<script>alert("Wrong login/password.");document.location=\'?do=login'.$redir.'\';</script>'; // Redirect to login screen. |
| 463 | exit; | 488 | exit; |
| 464 | } | 489 | } |
| @@ -1219,6 +1244,11 @@ function renderPage() | |||
| 1219 | exit; | 1244 | exit; |
| 1220 | } | 1245 | } |
| 1221 | 1246 | ||
| 1247 | if (isset($_GET['edit_link'])) { | ||
| 1248 | header('Location: ?do=login&edit_link='. escape($_GET['edit_link'])); | ||
| 1249 | exit; | ||
| 1250 | } | ||
| 1251 | |||
| 1222 | $PAGE = new pageBuilder; | 1252 | $PAGE = new pageBuilder; |
| 1223 | buildLinkList($PAGE,$LINKSDB); // Compute list of links to display | 1253 | buildLinkList($PAGE,$LINKSDB); // Compute list of links to display |
| 1224 | $PAGE->renderPage('linklist'); | 1254 | $PAGE->renderPage('linklist'); |
| @@ -1488,7 +1518,6 @@ function renderPage() | |||
| 1488 | { | 1518 | { |
| 1489 | $url=$_GET['post']; | 1519 | $url=$_GET['post']; |
| 1490 | 1520 | ||
| 1491 | |||
| 1492 | // We remove the annoying parameters added by FeedBurner, GoogleFeedProxy, Facebook... | 1521 | // We remove the annoying parameters added by FeedBurner, GoogleFeedProxy, Facebook... |
| 1493 | $annoyingpatterns = array('/[\?&]utm_source=[^&]*/', | 1522 | $annoyingpatterns = array('/[\?&]utm_source=[^&]*/', |
| 1494 | '/[\?&]utm_campaign=[^&]*/', | 1523 | '/[\?&]utm_campaign=[^&]*/', |