[Valid]phpBB3.0.4 + CPG 1.4.20.. Returning to specific page requested post login [Valid]phpBB3.0.4 + CPG 1.4.20.. Returning to specific page requested post login
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

[Valid]phpBB3.0.4 + CPG 1.4.20.. Returning to specific page requested post login

Started by LrgrThnLf, February 16, 2009, 09:43:18 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

LrgrThnLf

After posting in the integration forum, I'm advised this is a "missing feature" so I'm posting a feature request.

When one is not signed into CPG or phpBB, and the two are integrated, one is redirected (correctly) to the phpBB log in page.

When one has logged in, however, one is returned to the top level of CPG and not to the specifically requested page which triggered the login. I understand that this has some security implications (a requested redirect URL should not perform any data manipulation operations without being confirmed) but it seems counter intuitive otherwise to expect a user to request a page, log in, then go back to the originally requested link and reload it.

Joachim Müller

I'm not a bridging expert nor a phpBB expert, but it's likely that this is a missing feature of phpBB and not a missing feature of Coppermine, so it's very likely that your request might simply not apply.

LrgrThnLf

phpBB3 allows the specification of a redirection URL during login via the redirect parameter.

Are you saying that a "registered users only" gallery in CPG1.4.20 will redirect someone back to the specific page they were requesting if a user is not logged in?
If it does, do other bridged messageboards also achieve this also?

Current situation - from CPG bridged:

phpBB3's own behaviour:

In the phpBB3.x bridge file, phpbb3.inc.php, there's a section of code: function login_page()
{
global $CONFIG;

$redirect = urlencode($CONFIG['site_url']);
$this->redirect("/ucp.php?mode=login&redirect=$redirect");
}
In the SMF2.x bridge file, there's the code:        function login_page()
        {
                global $CONFIG;

                // silly workaround for SMF's redirect check...
                $_SESSION['old_url'] = $CONFIG['site_url'] . '?board=redirect';
                $this->redirect('/index.php?action=login');
        }
Doing a quick grep suggests that "site_url" is derived from database's "_config" table, specifically the "ecards_more_pic_target" tuple. This appears to be the fully qualified location of the gallery.

QED The Coppermine bridge, not phpBB or SMF, seems to be redirecting people back to the top level page.

You may ask why I'm lodging this as a feature request rather than doing it myself - I'm a sysadmin by profession, not a programmer. So I'm good at tracking down things - but I'm sure there's people far more qualified than I to edit the code, and if they do edit the code, know the consequences of doing so.

Ie. There is a potential issue where a person requests a page that performs an administrative/data-altering function that shouldn't be performed without a specific confirmation (As per discussion in blog here http://www.phpbb.com/blog/2009/01/14/fighting-csrf/ )

Joachim Müller

Quote from: LrgrThnLf on February 17, 2009, 06:07:31 PM
Current situation - from CPG bridged:
Thanks for the summary. Taking into account what you said above, this is what we need to do then: populate the redirect var with the full location instead of the gallery root. This is comparatively easy, but (there's always a "but"): we need to find a way to sanitize the data contained in the redirect variable. If we don't, made-up links could be created that redirect people to malevolent pages. This is easier said than done: sanitizing the path information and the parameters in a URL is quite hard, as coppermine doesn't have a structure similar to SMF when it comes to URL parameters: we have an awful load of URL parameters with a lot of potential values to sanitize against.
This being said: I can see your point and I will flag your thread as "valid", but your request will not go into cpg1.5.x, as we already have a feature freeze stage for that version.

terrano

Well done on the auto resizing in the latest version  :)

By chance was the request in this topic included in the latest release ?

Requiring the same, if user is surfing the gallery un-logged and wants to make a comment on a photo and hits the login link they are directed back to the photo they wish to comment on instead of the index and trolling back through multiple page links to find the required photo.