Edgewall Software
Modify

Opened 9 years ago

Closed 8 years ago

#10028 closed defect (fixed)

Trac login forgets referrer when switching from http: to https:

Reported by: Dirk Stöcker Owned by: Christian Boos
Priority: normal Milestone: 0.12.3
Component: web frontend Version:
Severity: normal Keywords:
Cc: Branch:
Release Notes:
API Changes:

Description

My site is designed so that the login request sends it to https. Afterwards trac stays at https, which is desired. Now the problem is, that it looses the referrer on doing so. Looking at trac/web/auth.py the check always assumes that the function _redirect_back needs to take into account, that the http/https prefix may differ.

I use "use_base_url_for_redirect=false" BTW.

236	    def _redirect_back(self, req):
237	        """Redirect the user back to the URL she came from."""
238	        referer = self._referer(req)
239	        if referer and referer.startswith(('http://', 'https://')) \
240	                and not (referer == req.base_url or \
241	                         referer.startswith(req.base_url.rstrip('/') + '/')):
242	            # only redirect to referer if it is from the same site
243	            referer = None
244	        if referer and referer.rstrip('/') == req.base_url.rstrip('/') \
245	                                              + req.path_info.rstrip('/'):
246	            # Avoid redirect loops
247	            referer = None
248	        req.redirect(referer or req.abs_href())

Switching to https: first and doing login afterwards works as expected.

Attachments (1)

t10028-r1775.patch (2.3 KB ) - added by Christian Boos 8 years ago.
ignore scheme in the _redirect_back check for same host

Download all attachments as: .zip

Change History (6)

comment:1 by Christian Boos, 9 years ago

Milestone: 0.12.3

Yes, good point.

by Christian Boos, 8 years ago

Attachment: t10028-r1775.patch added

ignore scheme in the _redirect_back check for same host

comment:2 by Christian Boos, 8 years ago

Owner: set to Christian Boos
Status: newassigned

Hello Dirk,

Would you mind testing my patch above? And also, could you tell us more about your setup and how you arranged for switching to https after login? Something like what's described in #4733? (although that ticket is a bit hard to follow…)

comment:3 by anonymous, 8 years ago

This patch fixes the issue, but I'm not sure if new situation is better.

I enforce https using this in apache:

  RedirectMatch ^/login(.*)$ https://<hostname>/login$1

Now your patch ensures that redirect now works, but previously after login you were on the https: pages, now you are back on http:. I would prefer if the redirect does not drop the security level.

This looks better to me:

    def _redirect_back(self, req):
        """Redirect the user back to the URL she came from."""
        referer = self._referer(req)  
        if referer:
            pos = req.base_url.find(':')
            base_noscheme = req.base_url[pos:]  
            base_scheme = req.base_url[:pos]
            referer_noscheme = referer[referer.find(':'):]  
            # only redirect to referer if it is from the same site
            if referer_noscheme == base_noscheme or \
                 referer_noscheme.startswith(base_noscheme.rstrip('/') + '/'):
                # avoid redirect loops
                if referer_noscheme.rstrip('/') != \
                        base_noscheme.rstrip('/') + req.path_info.rstrip('/'):
                    req.redirect(base_scheme + referer_noscheme)
        req.redirect(req.abs_href())

comment:4 by Dirk Stöcker, 8 years ago

Sorry. forgot login.

in reply to:  3 comment:5 by Christian Boos, 8 years ago

Resolution: fixed
Status: assignedclosed

Replying to comment:3:

[…] now you are back on http:. I would prefer if the redirect does not drop the security level.

Doh! I intended to do it like that, but forgot while coding.

This looks better to me:

Sure! Committed in r10781.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Christian Boos.
The resolution will be deleted. Next status will be 'reopened'.
to as closed The owner will be changed from Christian Boos to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.