From b8c529c2eca3f67da6f771127b5e42c8626d7249 Mon Sep 17 00:00:00 2001 From: Hugo Sampaio Date: Sat, 27 Apr 2024 09:30:41 -0300 Subject: [PATCH 1/4] Enable URL Recovery from logout --- check_login.php | 5 ++++- login.php | 6 ++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/check_login.php b/check_login.php index a0fd15730..acc89d329 100644 --- a/check_login.php +++ b/check_login.php @@ -18,7 +18,10 @@ // Check user is logged in with a valid session if (!isset($_SESSION['logged']) || !$_SESSION['logged']) { - header("Location: login.php"); + if($_SERVER["REQUEST_URI"] == "/") + header("Location: login.php"); + else + header("Location: login.php?url=".urlencode($_SERVER["REQUEST_SCHEME"] . "://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]) ); exit; } diff --git a/login.php b/login.php index 605385464..f3f1532a3 100644 --- a/login.php +++ b/login.php @@ -218,8 +218,10 @@ //} } - - header("Location: $config_start_page"); + if($_GET['url']) + header("Location: ".$_GET['url']); + else + header("Location: $config_start_page"); } else { From bab66bf769184d38722db00b4df7171ce61c78dd Mon Sep 17 00:00:00 2001 From: Hugo Sampaio Date: Fri, 3 May 2024 09:34:50 -0300 Subject: [PATCH 2/4] updated fixed domain url from config to prevent open redirect issue and encoded uri --- check_login.php | 3 +-- login.php | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/check_login.php b/check_login.php index acc89d329..eeb6d4d4e 100644 --- a/check_login.php +++ b/check_login.php @@ -21,7 +21,7 @@ if($_SERVER["REQUEST_URI"] == "/") header("Location: login.php"); else - header("Location: login.php?url=".urlencode($_SERVER["REQUEST_SCHEME"] . "://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]) ); + header("Location: login.php?last_visited=" . base64_encode($_SERVER["REQUEST_URI"]) ); exit; } @@ -87,4 +87,3 @@ //if ($session_user_config_force_mfa == 1 && $session_token == NULL) { // header("Location: force_mfa.php"); //} - diff --git a/login.php b/login.php index f3f1532a3..93c564d24 100644 --- a/login.php +++ b/login.php @@ -218,8 +218,8 @@ //} } - if($_GET['url']) - header("Location: ".$_GET['url']); + if($_GET['last_visited']) + header("Location: ".$_SERVER["REQUEST_SCHEME"] . "://" . $config_base_url . base64_decode($_GET['last_visited']) ); else header("Location: $config_start_page"); From 17eb51bd54b3310de30557284bbacdb0de90d1d4 Mon Sep 17 00:00:00 2001 From: Hugo Sampaio Date: Sat, 4 May 2024 19:23:39 -0300 Subject: [PATCH 3/4] Update check_login.php If standard --- check_login.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/check_login.php b/check_login.php index eeb6d4d4e..297208c27 100644 --- a/check_login.php +++ b/check_login.php @@ -18,10 +18,11 @@ // Check user is logged in with a valid session if (!isset($_SESSION['logged']) || !$_SESSION['logged']) { - if($_SERVER["REQUEST_URI"] == "/") + if ($_SERVER["REQUEST_URI"] == "/") { header("Location: login.php"); - else + } else { header("Location: login.php?last_visited=" . base64_encode($_SERVER["REQUEST_URI"]) ); + } exit; } From 5280620c6da18da01a203de6e9e4b90f753f3983 Mon Sep 17 00:00:00 2001 From: Hugo Sampaio Date: Sat, 4 May 2024 19:25:10 -0300 Subject: [PATCH 4/4] Update login.php If standard --- login.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/login.php b/login.php index 93c564d24..aa8fed08d 100644 --- a/login.php +++ b/login.php @@ -218,11 +218,11 @@ //} } - if($_GET['last_visited']) + if ($_GET['last_visited']) { header("Location: ".$_SERVER["REQUEST_SCHEME"] . "://" . $config_base_url . base64_decode($_GET['last_visited']) ); - else + } else { header("Location: $config_start_page"); - + } } else { // MFA is configured and needs to be confirmed, or was unsuccessful