Bug #21830

Redirect with felogin on TYPO3 4.3 does not work

Added by Claus Harup almost 10 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Should have
Category:
felogin
Target version:
-
Start date:
2009-12-09
Due date:
% Done:

0%

TYPO3 Version:
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Redirect with felogin on TYPO3 4.3 does not work - all I did was to upgrade to 4.3. It worked fine on 4.2.10

(issue imported from #M12990)

0012990v1.patch View (588 Bytes) Administrator Admin, 2010-04-11 21:47

12994_trunk.patch View (759 Bytes) Administrator Admin, 2010-05-16 10:11

History

#1 Updated by Chris topher almost 10 years ago

Hi Claus,

there was a fix for redirects recently. This will also be part of TYPO3 4.3.1.
If you want to immediatelly fix this, replacing the file "class.tx_felogin_pi1.php" with the one you can download here should already help:
http://forge.typo3.org/repositories/browse/typo3v4-core/branches/TYPO3_4-3/typo3/sysext/felogin/pi1?rev=6638

#2 Updated by Administrator Admin almost 10 years ago

Fix does not work correct

Line 468:
$extraHiddenAr[] = '<input type="hidden" name="referer" value="' . rawurlencode($referer) . '" />';
rawurlencode replace all signs like / with a percent (%) followed by two hex digits.

the following pregmatch on line 583:
if (preg_match('/^http://([[:alnum:]._-]+)//', $url, $match))
checks for normal ascii signs but they dont exist.

=> 404

#3 Updated by Maximilian almost 10 years ago

I've the same problem and the patch of the other fix doesn't works, too.

#4 Updated by Maximilian almost 10 years ago

The Problem doesn't appear, if you redirect to a site which everybody can see.
Only if you redirect to a site which can only see a loggend in user, 404 appears.

#5 Updated by Bas van der Togt almost 10 years ago

The patch does not work. When is this bug gonna fixed?

#6 Updated by Christian Hennecke over 9 years ago

There are still issues with redirection in 4.3.1. If you select to redirect to the referer URL, login will result in a 404 because the referer content is added to the base URL of the site.

#7 Updated by Stefan Geith over 9 years ago

Redirect does NOT work for me, if the page with the felogin-plugin is set to 'Hide at any login'
Redirect DOES work for me, if the page with the felogin-plugin is not access-restricted.

I think this is a bug in felogin -right ?

#8 Updated by Navi over 9 years ago

Yes i'm having same problem on felogin in 4.3.1, when using referer option i get 404, without it, login works.

#9 Updated by Tim Wendisch over 9 years ago

For me it works fine, for non restricted pages.

#10 Updated by Guenter Koch over 9 years ago

Same problem,

and: for over 99%, redirect to a restricted page is desired, i think.

#11 Updated by Frank Buijze over 9 years ago

Problem still exists in 4.3.2

Possible solution:

Insert

case 'login':
if ($this->conf['redirectPageLogin']) {
$redirect_url[] = $this->pi_getPageLink(intval($this->conf['redirectPageLogin']), array(), TRUE);
}

on line 611 of typo3/sysext/felogin/pi1//calss.tx_felogin_pi1.php

#12 Updated by Mark Möller-Bengtsson over 9 years ago

Although this not being the right forum for "Redirect to restricted page-issue" I'll just explain the logic.

Redirecting to a restricted page works perfectly fine.
Your problem is most likely that the redirect occurs after a successful login. In which case, either the login-element or the login-page, has access "Hide at login" thus dissapearing before the redirect is done.

This is a working feature in TYPO3 not a bug in felogin.

#13 Updated by Christian Hennecke over 9 years ago

The problem also exists with pages that have no special access mode set. I'm using shortcuts with "Hide at login" but the actual page that contains the felogin plug-in just has "hide in menu" assigned.

#14 Updated by Guenter Koch over 9 years ago

checking my dependencies, neither the login-element nor the login-page has access "Hide at login", furthermore the problem still exists.

#15 Updated by Administrator Admin over 9 years ago

Is there any security reason, why not to use also rawurldecode like in 0012990v1.patch? It works for me now.

#16 Updated by Vincent Mans over 9 years ago

To make the referer work for me, I changed class tx_felogin_pi1 line 468

from

$extraHiddenAr[] = '<input type="hidden" name="referer" value="' . rawurlencode($referer) . '" />';

into

$extraHiddenAr[] = '<input type="hidden" name="referer" value="' . $referer . '" />';

Guess it's not safe? For now it works.

#17 Updated by Vladimir Kubak over 9 years ago

Not even with method defined by GET/POST variable redirecting doesn't work. After upgrade from 4.2.12 to 4.3.3.

#18 Updated by Vladimir Kubak over 9 years ago

Just found IMHO nonsense on tx_felogin_pi1 line 487:
if (!$gpRedirectUrl && $this->redirectUrl && $this->logintype === 'login')
When making login form, variable $this->logintype is always empty, so redirect variable in login form becomes empty as well.

#19 Updated by Thomas Hirt over 9 years ago

I can cofirn that behavior. I use TYPO3 4.3.3 and changed the class class.tx_felogin_pi1.php to what Christoph mentioned: http://forge.typo3.org/repositories/browse/typo3v4-core/branches/TYPO3_4-3/typo3/sysext/felogin/pi1?rev=6638

Redirect seems not to work at all. This stays empty all the time:
<input type="hidden" name="redirect_url" value="" />

#20 Updated by Administrator Admin over 9 years ago

I downloaded the latest version of the class tx_felogin_pi1 and replace the code of the line 468 as Vincent Mans says in his commentary, and now it works.

#21 Updated by Andy Hausmann over 9 years ago

I agree, Vincent Mans' solution works perfectly fine.

I tried to debug the code just minutes ago and came to the same result - after getting the url from the GET-/POST-Vars and right before setting the header via t3lib_utility_Http::redirect() on line 137, the url wasn't rawurldecoded.

If you need the url rawencoded, just replace line 88
$this->referer = t3lib_div::_GP('referer');
with this one:
$this->referer = rawurldecode(t3lib_div::_GP('referer'));

else if you dont need an encoding, just replace line 468
$extraHiddenAr[] = '<input type="hidden" name="referer" value="' . rawurlencode($referer) . '" />';
with this one:
$extraHiddenAr[] = '<input type="hidden" name="referer" value="' . $referer . '" />';

Maybe it is possible to build in the possibility to switch the mode via TypoScript in a further version. Something like:

urlDecode = 1

which adds the encoding and decoding of the url.

#22 Updated by Jigal van Hemert over 9 years ago

rawurlencode() should be replaced with htmlspecialchars(). Otherwise some URLs may cause validation problems.

Patch attached (the name is incorrect due to a typo, sorry!), patch pending in core list.

#23 Updated by Steffen Kamper over 9 years ago

committed to trunk rev 7783

#24 Updated by Benni Mack about 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF