Bug 31699: (follow-up) Protect against unauthorized redirects

author Martin Renvoize <martin.renvoize@ptfs-europe.com>

Wed, 9 Nov 2022 08:27:44 +0000 (08:27 +0000)

committer Tomas Cohen Arazi <tomascohen@theke.io>

Thu, 9 Feb 2023 13:21:30 +0000 (10:21 -0300)
author Martin Renvoize <martin.renvoize@ptfs-europe.com>
Wed, 9 Nov 2022 08:27:44 +0000 (08:27 +0000)
committer Tomas Cohen Arazi <tomascohen@theke.io>
Thu, 9 Feb 2023 13:21:30 +0000 (10:21 -0300)
diff --git a/koha-tmpl/opac-tmpl/bootstrap/js/global.js b/koha-tmpl/opac-tmpl/bootstrap/js/global.js

index 27fe084..ce5d4f6 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/js/global.js
+++ b/koha-tmpl/opac-tmpl/bootstrap/js/global.js
@@ -228,7 +228,7 @@ $(document).ready(function(){
          var button = $(this);
          var context = button.data('return');
          if ( context ) {
-            $('#modalAuth').append('<input type="hidden" name="return" value="'+window.location+'" />');
+            $('#modalAuth').append('<input type="hidden" name="return" value="'+window.location.pathname+window.location.search+'" />');
          }
          $("#loginModal").modal("show");
      });
diff --git a/opac/opac-user.pl b/opac/opac-user.pl

index 1b2aa81..a02e7f1 100755 (executable)
--- a/opac/opac-user.pl
+++ b/opac/opac-user.pl
@@ -428,8 +428,10 @@ if ($search_query) {
  # back to the page we triggered the login from
  my $return = $query->param('return');
  if ( $return ) {
+    my $uri = C4::Context->preference('OPACBaseURL');
+    $uri .= $return;
      print $query->redirect(
-        -uri    => $return,
+        -uri    => $uri,
          -cookie => $cookie,
      );
  }
author	Martin Renvoize <martin.renvoize@ptfs-europe.com>
	Wed, 9 Nov 2022 08:27:44 +0000 (08:27 +0000)
committer	Tomas Cohen Arazi <tomascohen@theke.io>
	Thu, 9 Feb 2023 13:21:30 +0000 (10:21 -0300)
koha-tmpl/opac-tmpl/bootstrap/js/global.js		patch \| blob \| history
opac/opac-user.pl		patch \| blob \| history