Item10064: redirectto in Rename broken since 1.1
Priority: Urgent
Current State: Closed
Released In: 1.1.3
Target Release: patch
Applies To: Engine
Component:
Branches:
While comparing a 1.0.9 and a 1.1.2 installation, I discovered that the
redirectto
url param is not working anymore.
Looking at
Foswiki::UI::Rename::rename()
makes me think, that its not handled at all.
Unless somebody points me to some code deeper in the core, which takes care of that, I will add some code directly in
UI::Rename
.
--
OliverKrueger - 22 Nov 2010
We are experiencing the same problem here. No redirect on rename. Once in 1.0.9 working wiki applications fail to rewrite after a rename.
--
AndreLichtsteiner - 29 Nov 2010
Oliver: Foswiki.pm,
sub redirectto
--
CrawfordCurrie - 29 Nov 2010
So, if I understand right, the code is all here.
Is there a configuration parameter that needs update in order to redirect to a
http:// url after rename?
Here a hack I managed to get to work:
--- /lib/Foswiki/UI/Rename.pm Mon Nov 29 15:15:32 2010
+++ /lib/Foswiki/UI/Rename.pm orig Wed Nov 10 01:29:12 2010
@@ -305,8 +305,2 @@
- my $redirectto = $query->param('redirectto') || '';
-
- if ($redirectto) {
- $new_url = $query->param('redirectto');
- }
-
return $new_url;
--
AndreLichtsteiner - 29 Nov 2010
Yep, except the param should be gated through Foswiki::redirectto to handle web.topic notation aswell.
--
OliverKrueger - 29 Nov 2010
AndreLichtsteiner reports "unsafe" redirects. Its possible to redirect to
http://google.com/ although that URL is not in the PermittedFooList.
--
OliverKrueger - 29 Nov 2010
Nevermind my edit, I'm opening a new Task as it seems sufficiently different in nature
--
KiltBear - 03 Jan 2011
Is this task okay to close/release in 1.1.3, or is there a security issue with unsafe redirects? If I try the following on 1.1.3, I get an oops warning about unsafe redirect:
http://some.foswiki.com/rename/Sandbox/TestTopic0?redirectto=http://google.com
...
Attention
Access check on Main.WebHome failed. Action "redirect": unsafe redirect to ARRAY(0x84f7020): host does not match {DefaultUrlHost} , and is not in {PermittedRedirectHostUrls}"http://some.foswiki.com/".
The ARRAY operand suggests that there is something not quite right though. Raising to urgent to verify that there is not an issue with unsafe urls and I'm not recreating the correct test case.
--
GeorgeClark - 09 Mar 2011
The url parameter was not being retrieved from the $query - Works if retrieved from CGI. Verified that unsafe-redirect it caught if the destination is not in the list of authorized hosts.
--
GeorgeClark - 12 Mar 2011