LP#1314827: On login, don't allow referer-based redirect to external site

On /eg/opac/login, if no redirect_to param is provided, the TPAC will
attempt to use the referer (if any) as the redirect destination. This
leads to undesirable behavior if the referring URL is from an external
site.

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
Signed-off-by: Ben Shum <bshum@biblio.org>

diff --git a/Open-ILS/src/templates/opac/parts/login/form.tt2 b/Open-ILS/src/templates/opac/parts/login/form.tt2
index 2861fa0..9b13f58 100644 (file)
--- a/Open-ILS/src/templates/opac/parts/login/form.tt2
+++ b/Open-ILS/src/templates/opac/parts/login/form.tt2
@@ -37,9 +37,13 @@
         </div>
         <div style="clear: both; padding-top: 15px;">
         [%
+            redirect = CGI.param('redirect_to');
+            # Don't use referer unless we got here from elsewhere within the TPAC
+            IF !redirect AND ctx.referer.match('^https?://' _ ctx.hostname _ ctx.opac_root);
+                redirect = ctx.referer;
+            END;
             # If no redirect is offered or it's leading us back to the
             # login form, redirect the user to My Account
-            redirect = CGI.param('redirect_to') || ctx.referer;
             IF !redirect OR redirect.match(ctx.path_info _ '$');
                 redirect = CGI.url('-full' => 1) _ '/opac/myopac/main';
             END;