aboutsummaryrefslogtreecommitdiffhomepage
path: root/index.php
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2015-07-29 15:32:41 +0200
committerArthurHoaro <arthur@hoa.ro>2015-08-07 16:26:38 +0200
commit5fbabbb9be44711837a1be595c069381574aa84b (patch)
tree09f07e69ebd7e1b6cacf8d59826ffb88ced828de /index.php
parentb282fffa238deb41fe0aae6fe6ea68bb2b43c78e (diff)
downloadShaarli-5fbabbb9be44711837a1be595c069381574aa84b.tar.gz
Shaarli-5fbabbb9be44711837a1be595c069381574aa84b.tar.zst
Shaarli-5fbabbb9be44711837a1be595c069381574aa84b.zip
Fixes #299: prevent 404 on '?edit_link' while logged out
- add a use case for edit_link in logged out part. - *really* prevent loops on login screen.
Diffstat (limited to 'index.php')
-rwxr-xr-x[-rw-r--r--]index.php43
1 files changed, 36 insertions, 7 deletions
diff --git a/index.php b/index.php
index e3b612c8..2c731e9f 100644..100755
--- a/index.php
+++ b/index.php
@@ -445,12 +445,30 @@ if (isset($_POST['login']))
445 session_set_cookie_params(0,$cookiedir,$_SERVER['SERVER_NAME']); // 0 means "When browser closes" 445 session_set_cookie_params(0,$cookiedir,$_SERVER['SERVER_NAME']); // 0 means "When browser closes"
446 session_regenerate_id(true); 446 session_regenerate_id(true);
447 } 447 }
448
448 // Optional redirect after login: 449 // Optional redirect after login:
449 if (isset($_GET['post'])) { header('Location: ?post='.urlencode($_GET['post']).(!empty($_GET['title'])?'&title='.urlencode($_GET['title']):'').(!empty($_GET['description'])?'&description='.urlencode($_GET['description']):'').(!empty($_GET['source'])?'&source='.urlencode($_GET['source']):'')); exit; } 450 if (isset($_GET['post'])) {
450 if (isset($_POST['returnurl'])) 451 $uri = '?post='. urlencode($_GET['post']);
451 { 452 foreach (array('description', 'source', 'title') as $param) {
452 if (endsWith($_POST['returnurl'],'?do=login')) { header('Location: ?'); exit; } // Prevent loops over login screen. 453 if (!empty($_GET[$param])) {
453 header('Location: '.$_POST['returnurl']); exit; 454 $uri .= '&'.$param.'='.urlencode($_GET[$param]);
455 }
456 }
457 header('Location: '. $uri);
458 exit;
459 }
460
461 if (isset($_GET['edit_link'])) {
462 header('Location: ?edit_link='. escape($_GET['edit_link']));
463 exit;
464 }
465
466 if (isset($_POST['returnurl'])) {
467 // Prevent loops over login screen.
468 if (strpos($_POST['returnurl'], 'do=login') === false) {
469 header('Location: '. escape($_POST['returnurl']));
470 exit;
471 }
454 } 472 }
455 header('Location: ?'); exit; 473 header('Location: ?'); exit;
456 } 474 }
@@ -458,7 +476,14 @@ if (isset($_POST['login']))
458 { 476 {
459 ban_loginFailed(); 477 ban_loginFailed();
460 $redir = ''; 478 $redir = '';
461 if (isset($_GET['post'])) { $redir = '&post='.urlencode($_GET['post']).(!empty($_GET['title'])?'&title='.urlencode($_GET['title']):'').(!empty($_GET['description'])?'&description='.urlencode($_GET['description']):'').(!empty($_GET['source'])?'&source='.urlencode($_GET['source']):''); } 479 if (isset($_GET['post'])) {
480 $redir = '?post=' . urlencode($_GET['post']);
481 foreach (array('description', 'source', 'title') as $param) {
482 if (!empty($_GET[$param])) {
483 $redir .= '&' . $param . '=' . urlencode($_GET[$param]);
484 }
485 }
486 }
462 echo '<script>alert("Wrong login/password.");document.location=\'?do=login'.$redir.'\';</script>'; // Redirect to login screen. 487 echo '<script>alert("Wrong login/password.");document.location=\'?do=login'.$redir.'\';</script>'; // Redirect to login screen.
463 exit; 488 exit;
464 } 489 }
@@ -1219,6 +1244,11 @@ function renderPage()
1219 exit; 1244 exit;
1220 } 1245 }
1221 1246
1247 if (isset($_GET['edit_link'])) {
1248 header('Location: ?do=login&edit_link='. escape($_GET['edit_link']));
1249 exit;
1250 }
1251
1222 $PAGE = new pageBuilder; 1252 $PAGE = new pageBuilder;
1223 buildLinkList($PAGE,$LINKSDB); // Compute list of links to display 1253 buildLinkList($PAGE,$LINKSDB); // Compute list of links to display
1224 $PAGE->renderPage('linklist'); 1254 $PAGE->renderPage('linklist');
@@ -1488,7 +1518,6 @@ function renderPage()
1488 { 1518 {
1489 $url=$_GET['post']; 1519 $url=$_GET['post'];
1490 1520
1491
1492 // We remove the annoying parameters added by FeedBurner, GoogleFeedProxy, Facebook... 1521 // We remove the annoying parameters added by FeedBurner, GoogleFeedProxy, Facebook...
1493 $annoyingpatterns = array('/[\?&]utm_source=[^&]*/', 1522 $annoyingpatterns = array('/[\?&]utm_source=[^&]*/',
1494 '/[\?&]utm_campaign=[^&]*/', 1523 '/[\?&]utm_campaign=[^&]*/',