Skip to content

Fix issue with redirects loosing args #124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
danielbachhuber merged 2 commits into from
Jun 28, 2018
Merged

Fix issue with redirects loosing args #124

danielbachhuber merged 2 commits into from
Jun 28, 2018

Conversation

@andrzejpiotrowski
Copy link

@andrzejpiotrowski andrzejpiotrowski commented Jun 28, 2018

Redirect URL is not encoded in the redirect_to arg, and it may loose it's own args which will be applied to the parent URL... also the URL with missing args might become invalid, example:

  1. As a logged out user we are entering the page that requires user to be logged in:
    https://mysite.example.com/?p=1234&preview=1&secret=1234

  2. User being redirected to:
    https://mysite.example.com/wp-login.php?redirect_to=https%3A%2F%2Fmysite.example.com%2F%3Fp%3D1234%26preview%3D1%26secret%3D1234

  3. But then the information that is passed to SimpleSAML lib contains already improperly formatted URL, with not encoded redirect_to arg:
    https://mysite.example.com/wp-login.php?redirect_to=https://mysite.example.com/?p=1234&preview=1&secret=1234&action=wp-saml-auth

  4. After all, after successful login, user is redirected to:
    https://mysite.example.com/?p=1234
    but should be to:
    https://mysite.example.com/?p=1234&preview=1&secret=1234

@danielbachhuber danielbachhuber added this to the 0.3.10 milestone Jun 28, 2018
@danielbachhuber danielbachhuber self-requested a review June 28, 2018 14:05
@danielbachhuber danielbachhuber merged commit a6488ea into pantheon-systems:master Jun 28, 2018
@danielbachhuber
Copy link
Contributor

danielbachhuber commented Jun 28, 2018

Thanks @andrzejpiotrowski. I've tagged v0.3.10 with this fix.

@andrzejpiotrowski
Copy link
Author

andrzejpiotrowski commented Jun 28, 2018

Thank you for quick review!

@andrzejpiotrowski andrzejpiotrowski deleted the patch-1 branch June 28, 2018 14:27
@danielbachhuber danielbachhuber mentioned this pull request Dec 17, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@danielbachhuber danielbachhuber danielbachhuber approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

0.3.10

Development

Successfully merging this pull request may close these issues.

2 participants

@andrzejpiotrowski @danielbachhuber