Instead of passing query string in form post variables, store it in session so that it survives redirects. Fixes #2811

This commit is contained in:
Isaac Connor 2020-01-20 11:02:43 -05:00
parent e53ec9c8b9
commit dbdb13efd7
3 changed files with 15 additions and 7 deletions

View File

@ -152,8 +152,6 @@ if (
setcookie('zmCSS', $css, time()+3600*24*30*12*10); setcookie('zmCSS', $css, time()+3600*24*30*12*10);
} }
# Only one request can open the session file at a time, so let's close the session here to improve concurrency.
# Any file/page that sets session variables must re-open it.
require_once('includes/lang.php'); require_once('includes/lang.php');
@ -186,6 +184,8 @@ if ( isset($_REQUEST['request']) )
$request = detaintPath($_REQUEST['request']); $request = detaintPath($_REQUEST['request']);
require_once('includes/auth.php'); require_once('includes/auth.php');
# Only one request can open the session file at a time, so let's close the session here to improve concurrency.
# Any file/page that sets session variables must re-open it.
session_write_close(); session_write_close();
foreach ( getSkinIncludes('skin.php') as $includeFile ) { foreach ( getSkinIncludes('skin.php') as $includeFile ) {
@ -242,6 +242,12 @@ if ( ZM_OPT_USE_AUTH and (!isset($user)) and ($view != 'login') and ($view != 'n
ZM\Logger::Debug('Redirecting to login'); ZM\Logger::Debug('Redirecting to login');
$view = 'none'; $view = 'none';
$redirect = ZM_BASE_URL.$_SERVER['PHP_SELF'].'?view=login'; $redirect = ZM_BASE_URL.$_SERVER['PHP_SELF'].'?view=login';
if ( ! $request ) {
zm_session_start();
$_SESSION['postLoginQuery'] = $_SERVER['QUERY_STRING'];
ZM\Error("postLoginQuery " . $_SESSION['postLoginQuery']);
session_write_close();
}
$request = null; $request = null;
} else if ( ZM_SHOW_PRIVACY && ($view != 'privacy') && ($view != 'options') && (!$request) && canEdit('System') ) { } else if ( ZM_SHOW_PRIVACY && ($view != 'privacy') && ($view != 'options') && (!$request) && canEdit('System') ) {
$view = 'none'; $view = 'none';

View File

@ -11,12 +11,15 @@
( (
function () { function () {
// Append '?(GET query)' to URL if the GET query is not empty. // Append '?(GET query)' to URL if the GET query is not empty.
var querySuffix = "<?php var querySuffix = '<?php
if (!empty($_POST['postLoginQuery'])) { if (!empty($_SESSION['postLoginQuery'])) {
parse_str($_POST['postLoginQuery'], $queryParams); parse_str($_SESSION['postLoginQuery'], $queryParams);
echo '?' . http_build_query($queryParams); echo '?' . http_build_query($queryParams);
zm_session_start();
unset($_SESSION['postLoginQuery']);
session_write_close();
} }
?>"; ?>';
if ( querySuffix == '?view=login' ) { if ( querySuffix == '?view=login' ) {
// If we didn't redirect elsewhere, then don't show login page, go to console // If we didn't redirect elsewhere, then don't show login page, go to console

View File

@ -7,7 +7,6 @@ xhtmlHeaders(__FILE__, translate('Login'));
<form class="center-block" name="loginForm" id="loginForm" method="post" action="?"> <form class="center-block" name="loginForm" id="loginForm" method="post" action="?">
<input type="hidden" name="action" value="login"/> <input type="hidden" name="action" value="login"/>
<input type="hidden" name="view" value="login"/> <input type="hidden" name="view" value="login"/>
<input type="hidden" name="postLoginQuery" value="<?php echo isset($_SERVER['QUERY_STRING']) ? htmlspecialchars($_SERVER['QUERY_STRING']) : ''?>">
<div id="loginError" class="hidden alarm" role="alert"> <div id="loginError" class="hidden alarm" role="alert">
<span class="glyphicon glyphicon-exclamation-sign" aria-hidden="true"></span> <span class="glyphicon glyphicon-exclamation-sign" aria-hidden="true"></span>