[LON-CAPA-cvs] cvs: loncom /auth lonlogin.pm
raeburn
raeburn at source.lon-capa.org
Tue Sep 28 17:16:07 EDT 2021
raeburn Tue Sep 28 21:16:07 2021 EDT
Modified files:
/loncom/auth lonlogin.pm
Log:
- HTML Entity encoding of user-supplied input in query string for URLs.
Index: loncom/auth/lonlogin.pm
diff -u loncom/auth/lonlogin.pm:1.186 loncom/auth/lonlogin.pm:1.187
--- loncom/auth/lonlogin.pm:1.186 Tue Sep 28 20:47:46 2021
+++ loncom/auth/lonlogin.pm Tue Sep 28 21:16:07 2021
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Login Screen
#
-# $Id: lonlogin.pm,v 1.186 2021/09/28 20:47:46 raeburn Exp $
+# $Id: lonlogin.pm,v 1.187 2021/09/28 21:16:07 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -123,7 +123,7 @@
$protocol = 'http' if ($protocol ne 'https');
my $dest = '/adm/roles';
if ($env{'form.firsturl'} ne '') {
- $dest = $env{'form.firsturl'};
+ $dest = &HTML::Entities::encode($env{'form.firsturl'},'\'"<>&');
}
my %info = (
balcookie => $lonhost.':'.$balancer_cookie,
@@ -141,7 +141,7 @@
}
my $balancer_token = &Apache::lonnet::tmpput(\%info,$found_server);
if ($balancer_token) {
- $dest .= (($dest=~/\?/)?'&;':'?') . 'btoken='.$balancer_token;
+ $dest .= (($dest=~/\?/)?'&':'?') . 'btoken='.$balancer_token;
}
unless ($found_server eq $lonhost) {
my $alias = &Apache::lonnet::use_proxy_alias($r,$found_server);
@@ -203,7 +203,7 @@
&Apache::loncommon::end_page();
my $dest = '/adm/roles';
if ($env{'form.firsturl'} ne '') {
- $dest = $env{'form.firsturl'};
+ $dest = &HTML::Entities::encode($env{'form.firsturl'},'\'"<>&');
}
if (($env{'form.ltoken'}) || ($linkprot)) {
unless ($linkprot) {
@@ -795,15 +795,16 @@
if ($samlssourl ne '') {
$ssologin = $samlssourl;
}
+ if ($env{'form.firsturl'} ne '') {
+ $ssologin .= (($ssologin=~/\?/)?'&':'?') .
+ 'origurl='.&HTML::Entities::encode($env{'form.firsturl'},'\'<>&"');
+ }
my $ssohref;
if ($samlssoimg ne '') {
$ssohref = '<a href="'.$ssologin.'" title="'.$samltooltip.'"><img src="'.$samlssoimg.'" alt="'.$samlssoalt.'" /></a>';
} else {
$ssohref = '<a href="'.$ssologin.'">'.$samlssotext.'</a>';
}
- if ($env{'form.firsturl'}) {
- $ssologin .= '?origurl='.&HTML::Entities::encode($env{'form.firsturl'},'<>&"');
- }
if (($env{'form.saml'} eq 'no') ||
(($env{'form.username'} ne '') && ($env{'form.domain'} ne ''))) {
$ssoauthstyle = 'none';
@@ -1021,12 +1022,12 @@
}
my $url = $protocol.'://'.$hostname.$path;
if ($env{'form.firsturl'} ne '') {
- $url .='?firsturl='.$env{'form.firsturl'};
+ $url .='?firsturl='.&HTML::Entities::encode($env{'form.firsturl'},'\'"<>&');;
}
if ($linkprot) {
my $ltoken = &Apache::lonnet::tmpput({linkprot => $linkprot},$desthost);
if ($ltoken) {
- $url .= (($url =~ /\?/) ? '&' : '?').'ltoken='.$ltoken;
+ $url .= (($url =~ /\?/) ? '&' : '?').'ltoken='.$ltoken;
}
}
my $start_page = &Apache::loncommon::start_page('Switching Server ...',undef,
More information about the LON-CAPA-cvs
mailing list