[open-ils-commits] ***SPAM*** [GIT] Evergreen ILS branch rel_2_5 updated. 9f3b44c6f86e6b3cf6bf60f9f25b105bc3e8b73a

Evergreen Git git at git.evergreen-ils.org
Fri Oct 3 02:20:52 EDT 2014 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".

The branch, rel_2_5 has been updated
       via  9f3b44c6f86e6b3cf6bf60f9f25b105bc3e8b73a (commit)
      from  cd666f98c7d1460b8ff1d7df3b2528bb028cd9df (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 9f3b44c6f86e6b3cf6bf60f9f25b105bc3e8b73a
Author: Jeff Davis <jdavis at sitka.bclibraries.ca>
Date:   Fri May 16 15:14:43 2014 -0700

    LP#1314827: On login, don't allow referer-based redirect to external site
    
    On /eg/opac/login, if no redirect_to param is provided, the TPAC will
    attempt to use the referer (if any) as the redirect destination. This
    leads to undesirable behavior if the referring URL is from an external
    site.
    
    Signed-off-by: Jeff Davis <jdavis at sitka.bclibraries.ca>
    Signed-off-by: Ben Shum <bshum at biblio.org>

diff --git a/Open-ILS/src/templates/opac/parts/login/form.tt2 b/Open-ILS/src/templates/opac/parts/login/form.tt2
index 2861fa0..9b13f58 100644
--- a/Open-ILS/src/templates/opac/parts/login/form.tt2
+++ b/Open-ILS/src/templates/opac/parts/login/form.tt2
@@ -37,9 +37,13 @@
         </div>
         <div style="clear: both; padding-top: 15px;">
         [%
+            redirect = CGI.param('redirect_to');
+            # Don't use referer unless we got here from elsewhere within the TPAC
+            IF !redirect AND ctx.referer.match('^https?://' _ ctx.hostname _ ctx.opac_root);
+                redirect = ctx.referer;
+            END;
             # If no redirect is offered or it's leading us back to the
             # login form, redirect the user to My Account
-            redirect = CGI.param('redirect_to') || ctx.referer;
             IF !redirect OR redirect.match(ctx.path_info _ '$');
                 redirect = CGI.url('-full' => 1) _ '/opac/myopac/main';
             END;

-----------------------------------------------------------------------

Summary of changes:
 Open-ILS/src/templates/opac/parts/login/form.tt2 |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)


hooks/post-receive
-- 
Evergreen ILS

More information about the open-ils-commits mailing list