From 8943e1c8f2201a477af1f8089b95d781056fd2d6 Mon Sep 17 00:00:00 2001
From: Jeff Davis <jdavis@sitka.bclibraries.ca>
Date: Fri, 16 May 2014 15:14:43 -0700
Subject: [PATCH] LP#1314827: On login, don't allow referer-based redirect to
 external site

On /eg/opac/login, if no redirect_to param is provided, the TPAC will
attempt to use the referer (if any) as the redirect destination. This
leads to undesirable behavior if the referring URL is from an external
site.

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
Signed-off-by: Ben Shum <bshum@biblio.org>
---
 Open-ILS/src/templates/opac/parts/login/form.tt2 | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/Open-ILS/src/templates/opac/parts/login/form.tt2 b/Open-ILS/src/templates/opac/parts/login/form.tt2
index 2861fa0fe3..9b13f587a2 100644
--- a/Open-ILS/src/templates/opac/parts/login/form.tt2
+++ b/Open-ILS/src/templates/opac/parts/login/form.tt2
@@ -37,9 +37,13 @@
         </div>
         <div style="clear: both; padding-top: 15px;">
         [%
+            redirect = CGI.param('redirect_to');
+            # Don't use referer unless we got here from elsewhere within the TPAC
+            IF !redirect AND ctx.referer.match('^https?://' _ ctx.hostname _ ctx.opac_root);
+                redirect = ctx.referer;
+            END;
             # If no redirect is offered or it's leading us back to the
             # login form, redirect the user to My Account
-            redirect = CGI.param('redirect_to') || ctx.referer;
             IF !redirect OR redirect.match(ctx.path_info _ '$');
                 redirect = CGI.url('-full' => 1) _ '/opac/myopac/main';
             END;
-- 
2.11.0