[open-ils-commits] ***SPAM*** [GIT] Evergreen ILS branch rel_2_6 updated. c6d474d27ead75a1365e44dea4144cd701c28e02

Evergreen Git git at git.evergreen-ils.org
Fri Oct 3 02:20:52 EDT 2014 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".

The branch, rel_2_6 has been updated
       via  c6d474d27ead75a1365e44dea4144cd701c28e02 (commit)
      from  81dd489c33e70bfe5b04f1f5cfaab9f4de5e6e32 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c6d474d27ead75a1365e44dea4144cd701c28e02
Author: Jeff Davis <jdavis at sitka.bclibraries.ca>
Date:   Fri May 16 15:14:43 2014 -0700

    LP#1314827: On login, don't allow referer-based redirect to external site
    
    On /eg/opac/login, if no redirect_to param is provided, the TPAC will
    attempt to use the referer (if any) as the redirect destination. This
    leads to undesirable behavior if the referring URL is from an external
    site.
    
    Signed-off-by: Jeff Davis <jdavis at sitka.bclibraries.ca>
    Signed-off-by: Ben Shum <bshum at biblio.org>

diff --git a/Open-ILS/src/templates/opac/parts/login/form.tt2 b/Open-ILS/src/templates/opac/parts/login/form.tt2
index 2861fa0..9b13f58 100644
--- a/Open-ILS/src/templates/opac/parts/login/form.tt2
+++ b/Open-ILS/src/templates/opac/parts/login/form.tt2
@@ -37,9 +37,13 @@
         </div>
         <div style="clear: both; padding-top: 15px;">
         [%
+            redirect = CGI.param('redirect_to');
+            # Don't use referer unless we got here from elsewhere within the TPAC
+            IF !redirect AND ctx.referer.match('^https?://' _ ctx.hostname _ ctx.opac_root);
+                redirect = ctx.referer;
+            END;
             # If no redirect is offered or it's leading us back to the
             # login form, redirect the user to My Account
-            redirect = CGI.param('redirect_to') || ctx.referer;
             IF !redirect OR redirect.match(ctx.path_info _ '$');
                 redirect = CGI.url('-full' => 1) _ '/opac/myopac/main';
             END;

-----------------------------------------------------------------------

Summary of changes:
 Open-ILS/src/templates/opac/parts/login/form.tt2 |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)


hooks/post-receive
-- 
Evergreen ILS

More information about the open-ils-commits mailing list