TYPO3 Core

Hi Claus,

there was a fix for redirects recently. This will also be part of TYPO3 4.3.1.
If you want to immediatelly fix this, replacing the file "class.tx_felogin_pi1.php" with the one you can download here should already help:
http://forge.typo3.org/repositories/browse/typo3v4-core/branches/TYPO3_4-3/typo3/sysext/felogin/pi1?rev=6638

Fix does not work correct

Line 468:
$extraHiddenAr[] = '<input type="hidden" name="referer" value="' . rawurlencode($referer) . '" />';
rawurlencode replace all signs like / with a percent (%) followed by two hex digits.

the following pregmatch on line 583:
if (preg_match('/^http://([[:alnum:]._-]+)//', $url, $match))
checks for normal ascii signs but they dont exist.

=> 404

I've the same problem and the patch of the other fix doesn't works, too.

The Problem doesn't appear, if you redirect to a site which everybody can see.
Only if you redirect to a site which can only see a loggend in user, 404 appears.

The patch does not work. When is this bug gonna fixed?

There are still issues with redirection in 4.3.1. If you select to redirect to the referer URL, login will result in a 404 because the referer content is added to the base URL of the site.

Redirect does NOT work for me, if the page with the felogin-plugin is set to 'Hide at any login'
Redirect DOES work for me, if the page with the felogin-plugin is not access-restricted.

I think this is a bug in felogin -right ?

Yes i'm having same problem on felogin in 4.3.1, when using referer option i get 404, without it, login works.

For me it works fine, for non restricted pages.

Same problem,

and: for over 99%, redirect to a restricted page is desired, i think.

Problem still exists in 4.3.2

Possible solution:

Insert

case 'login':
if ($this->conf['redirectPageLogin']) {
$redirect_url[] = $this->pi_getPageLink(intval($this->conf['redirectPageLogin']), array(), TRUE);
}

on line 611 of typo3/sysext/felogin/pi1//calss.tx_felogin_pi1.php

Although this not being the right forum for "Redirect to restricted page-issue" I'll just explain the logic.

Redirecting to a restricted page works perfectly fine.
Your problem is most likely that the redirect occurs after a successful login. In which case, either the login-element or the login-page, has access "Hide at login" thus dissapearing before the redirect is done.

This is a working feature in TYPO3 not a bug in felogin.

The problem also exists with pages that have no special access mode set. I'm using shortcuts with "Hide at login" but the actual page that contains the felogin plug-in just has "hide in menu" assigned.

checking my dependencies, neither the login-element nor the login-page has access "Hide at login", furthermore the problem still exists.

Is there any security reason, why not to use also rawurldecode like in 0012990v1.patch? It works for me now.

To make the referer work for me, I changed class tx_felogin_pi1 line 468

from

$extraHiddenAr[] = '<input type="hidden" name="referer" value="' . rawurlencode($referer) . '" />';

into

$extraHiddenAr[] = '<input type="hidden" name="referer" value="' . $referer . '" />';

Guess it's not safe? For now it works.

Not even with method defined by GET/POST variable redirecting doesn't work. After upgrade from 4.2.12 to 4.3.3.

Just found IMHO nonsense on tx_felogin_pi1 line 487:
if (!$gpRedirectUrl && $this->redirectUrl && $this->logintype === 'login')
When making login form, variable $this->logintype is always empty, so redirect variable in login form becomes empty as well.

I can cofirn that behavior. I use TYPO3 4.3.3 and changed the class class.tx_felogin_pi1.php to what Christoph mentioned: http://forge.typo3.org/repositories/browse/typo3v4-core/branches/TYPO3_4-3/typo3/sysext/felogin/pi1?rev=6638

Redirect seems not to work at all. This stays empty all the time:
<input type="hidden" name="redirect_url" value="" />

I downloaded the latest version of the class tx_felogin_pi1 and replace the code of the line 468 as Vincent Mans says in his commentary, and now it works.

I agree, Vincent Mans' solution works perfectly fine.

I tried to debug the code just minutes ago and came to the same result - after getting the url from the GET-/POST-Vars and right before setting the header via t3lib_utility_Http::redirect() on line 137, the url wasn't rawurldecoded.

If you need the url rawencoded, just replace line 88
$this->referer = t3lib_div::_GP('referer');
with this one:
$this->referer = rawurldecode(t3lib_div::_GP('referer'));

else if you dont need an encoding, just replace line 468
$extraHiddenAr[] = '<input type="hidden" name="referer" value="' . rawurlencode($referer) . '" />';
with this one:
$extraHiddenAr[] = '<input type="hidden" name="referer" value="' . $referer . '" />';

Maybe it is possible to build in the possibility to switch the mode via TypoScript in a further version. Something like:

urlDecode = 1

which adds the encoding and decoding of the url.

rawurlencode() should be replaced with htmlspecialchars(). Otherwise some URLs may cause validation problems.

Patch attached (the name is incorrect due to a typo, sorry!), patch pending in core list.

committed to trunk rev 7783