From b8c529c2eca3f67da6f771127b5e42c8626d7249 Mon Sep 17 00:00:00 2001 From: Hugo Sampaio Date: Sat, 27 Apr 2024 09:30:41 -0300 Subject: [PATCH 1/4] Enable URL Recovery from logout --- check_login.php | 5 ++++- login.php | 6 ++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/check_login.php b/check_login.php index a0fd1573..acc89d32 100644 --- a/check_login.php +++ b/check_login.php @@ -18,7 +18,10 @@ if (!isset($config_enable_setup) || $config_enable_setup == 1) { // Check user is logged in with a valid session if (!isset($_SESSION['logged']) || !$_SESSION['logged']) { - header("Location: login.php"); + if($_SERVER["REQUEST_URI"] == "/") + header("Location: login.php"); + else + header("Location: login.php?url=".urlencode($_SERVER["REQUEST_SCHEME"] . "://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]) ); exit; } diff --git a/login.php b/login.php index 60538546..f3f1532a 100644 --- a/login.php +++ b/login.php @@ -218,8 +218,10 @@ if (isset($_POST['login'])) { //} } - - header("Location: $config_start_page"); + if($_GET['url']) + header("Location: ".$_GET['url']); + else + header("Location: $config_start_page"); } else { From bab66bf769184d38722db00b4df7171ce61c78dd Mon Sep 17 00:00:00 2001 From: Hugo Sampaio Date: Fri, 3 May 2024 09:34:50 -0300 Subject: [PATCH 2/4] updated fixed domain url from config to prevent open redirect issue and encoded uri --- check_login.php | 3 +-- login.php | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/check_login.php b/check_login.php index acc89d32..eeb6d4d4 100644 --- a/check_login.php +++ b/check_login.php @@ -21,7 +21,7 @@ if (!isset($_SESSION['logged']) || !$_SESSION['logged']) { if($_SERVER["REQUEST_URI"] == "/") header("Location: login.php"); else - header("Location: login.php?url=".urlencode($_SERVER["REQUEST_SCHEME"] . "://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]) ); + header("Location: login.php?last_visited=" . base64_encode($_SERVER["REQUEST_URI"]) ); exit; } @@ -87,4 +87,3 @@ $num_notifications = $row['num']; //if ($session_user_config_force_mfa == 1 && $session_token == NULL) { // header("Location: force_mfa.php"); //} - diff --git a/login.php b/login.php index f3f1532a..93c564d2 100644 --- a/login.php +++ b/login.php @@ -218,8 +218,8 @@ if (isset($_POST['login'])) { //} } - if($_GET['url']) - header("Location: ".$_GET['url']); + if($_GET['last_visited']) + header("Location: ".$_SERVER["REQUEST_SCHEME"] . "://" . $config_base_url . base64_decode($_GET['last_visited']) ); else header("Location: $config_start_page"); From 17eb51bd54b3310de30557284bbacdb0de90d1d4 Mon Sep 17 00:00:00 2001 From: Hugo Sampaio Date: Sat, 4 May 2024 19:23:39 -0300 Subject: [PATCH 3/4] Update check_login.php If standard --- check_login.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/check_login.php b/check_login.php index eeb6d4d4..297208c2 100644 --- a/check_login.php +++ b/check_login.php @@ -18,10 +18,11 @@ if (!isset($config_enable_setup) || $config_enable_setup == 1) { // Check user is logged in with a valid session if (!isset($_SESSION['logged']) || !$_SESSION['logged']) { - if($_SERVER["REQUEST_URI"] == "/") + if ($_SERVER["REQUEST_URI"] == "/") { header("Location: login.php"); - else + } else { header("Location: login.php?last_visited=" . base64_encode($_SERVER["REQUEST_URI"]) ); + } exit; } From 5280620c6da18da01a203de6e9e4b90f753f3983 Mon Sep 17 00:00:00 2001 From: Hugo Sampaio Date: Sat, 4 May 2024 19:25:10 -0300 Subject: [PATCH 4/4] Update login.php If standard --- login.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/login.php b/login.php index 93c564d2..aa8fed08 100644 --- a/login.php +++ b/login.php @@ -218,11 +218,11 @@ if (isset($_POST['login'])) { //} } - if($_GET['last_visited']) + if ($_GET['last_visited']) { header("Location: ".$_SERVER["REQUEST_SCHEME"] . "://" . $config_base_url . base64_decode($_GET['last_visited']) ); - else + } else { header("Location: $config_start_page"); - + } } else { // MFA is configured and needs to be confirmed, or was unsuccessful