Skip to content
Snippets Groups Projects
Commit 3cbf82a4 authored by Torben Hansen's avatar Torben Hansen Committed by Oliver Hader
Browse files

[BUGFIX] Respect HTTP_REFERER for felogin redirect mode 'referer'


The `redirectMode=referer` configuration allows to process a redirect
after a successful login to an evaluated referer value.

For the legacy version of the felogin plugin, the referer value has
been evaluated using the GET/POST parameter `referer` and the
`HTTP_REFERER` as fallback.

The extbase version of the felogin plugin currently only evaluates the
GET/POST parameter `referer`.

This patch adds the missing `HTTP_REFERER` fallback evaluation
of the referer.

Resolves: #91844
Releases: main, 11.5
Signed-off-by: default avatarTorben Hansen <derhansen@gmail.com>
Change-Id: Id4119b0425ddca09a350f4d8d8a6ebb4d3b3135b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77204


Reviewed-by: default avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: default avatarBenni Mack <benni@typo3.org>
Tested-by: default avatarcore-ci <typo3@b13.com>
Reviewed-by: default avatarMarkus Klein <markus.klein@typo3.org>
Reviewed-by: default avatarGuido Schmechel <guido.schmechel@brandung.de>
Tested-by: default avatarOliver Hader <oliver.hader@typo3.org>
parent b6d1275f
No related branches found
No related tags found
No related merge requests found
......@@ -108,7 +108,7 @@ class RedirectModeHandler
$redirectUrl = '';
if ($redirectReferrer !== 'off') {
// Avoid forced logout, when trying to login immediately after a logout
$redirectUrl = preg_replace('/[&?]logintype=[a-z]+/', '', $this->getRefererRequestParam());
$redirectUrl = preg_replace('/[&?]logintype=[a-z]+/', '', $this->getReferer());
}
return $redirectUrl ?? '';
......@@ -130,7 +130,7 @@ class RedirectModeHandler
// Thanks to plan2.net / Martin Kutschker for implementing this feature.
// also avoid redirect when logging in after changing password
if ($domains) {
$url = $this->getRefererRequestParam();
$url = $this->getReferer();
// Is referring url allowed to redirect?
$match = [];
if (preg_match('#^http://([[:alnum:]._-]+)/#', $url, $match)) {
......@@ -189,10 +189,14 @@ class RedirectModeHandler
return $this->uriBuilder->build();
}
protected function getRefererRequestParam(): string
protected function getReferer(): string
{
$referer = '';
$requestReferer = (string)$this->serverRequestHandler->getPropertyFromGetAndPost('referer');
if ($requestReferer === '') {
$requestReferer = $this->serverRequestHandler->getHttpReferer();
}
if ($this->redirectUrlValidator->isValid($requestReferer)) {
$referer = $requestReferer;
}
......
......@@ -51,6 +51,14 @@ class ServerRequestHandler
)[$propertyName] ?? null;
}
/**
* Returns the HTTP_REFERER from server request parameters if set
*/
public function getHttpReferer(): string
{
return $this->request->getServerParams()['HTTP_REFERER'] ?? '';
}
/**
* Returns validated redirect url contained in request param return_url or redirect_url
*/
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment