Opened 14 years ago
Closed 13 years ago
#10028 closed defect (fixed)
Trac login forgets referrer when switching from http: to https:
| Reported by: | Dirk Stöcker | Owned by: | Christian Boos |
|---|---|---|---|
| Priority: | normal | Milestone: | 0.12.3 |
| Component: | web frontend | Version: | |
| Severity: | normal | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
My site is designed so that the login request sends it to https. Afterwards trac stays at https, which is desired. Now the problem is, that it looses the referrer on doing so. Looking at trac/web/auth.py the check always assumes that the function _redirect_back needs to take into account, that the http/https prefix may differ.
I use "use_base_url_for_redirect=false" BTW.
236 def _redirect_back(self, req):
237 """Redirect the user back to the URL she came from."""
238 referer = self._referer(req)
239 if referer and referer.startswith(('http://', 'https://')) \
240 and not (referer == req.base_url or \
241 referer.startswith(req.base_url.rstrip('/') + '/')):
242 # only redirect to referer if it is from the same site
243 referer = None
244 if referer and referer.rstrip('/') == req.base_url.rstrip('/') \
245 + req.path_info.rstrip('/'):
246 # Avoid redirect loops
247 referer = None
248 req.redirect(referer or req.abs_href())
Switching to https: first and doing login afterwards works as expected.
Attachments (1)
Change History (6)
comment:1 by , 14 years ago
| Milestone: | → 0.12.3 |
|---|
by , 13 years ago
| Attachment: | t10028-r1775.patch added |
|---|
ignore scheme in the
_redirect_backcheck for same host
comment:2 by , 13 years ago
| Owner: | set to |
|---|---|
| Status: | new → assigned |
Hello Dirk,
Would you mind testing my patch above? And also, could you tell us more about your setup and how you arranged for switching to https after login? Something like what's described in #4733? (although that ticket is a bit hard to follow…)
follow-up: 5 comment:3 by , 13 years ago
This patch fixes the issue, but I'm not sure if new situation is better.
I enforce https using this in apache:
RedirectMatch ^/login(.*)$ https://<hostname>/login$1
Now your patch ensures that redirect now works, but previously after login you were on the https: pages, now you are back on http:. I would prefer if the redirect does not drop the security level.
This looks better to me:
def _redirect_back(self, req):
"""Redirect the user back to the URL she came from."""
referer = self._referer(req)
if referer:
pos = req.base_url.find(':')
base_noscheme = req.base_url[pos:]
base_scheme = req.base_url[:pos]
referer_noscheme = referer[referer.find(':'):]
# only redirect to referer if it is from the same site
if referer_noscheme == base_noscheme or \
referer_noscheme.startswith(base_noscheme.rstrip('/') + '/'):
# avoid redirect loops
if referer_noscheme.rstrip('/') != \
base_noscheme.rstrip('/') + req.path_info.rstrip('/'):
req.redirect(base_scheme + referer_noscheme)
req.redirect(req.abs_href())
comment:5 by , 13 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Yes, good point.