Steps to reproduce:

  1. Configure foswiki to use TemplateLogin
  2. Try to edit a page without been logged in
  3. The login screen appears. Log in.
  4. If the login is successful, there is no problem
  5. Logout
  6. Try to edit a page
  7. Login screen: enter wrong credentials
  8. Login screen again: enter right credentials
  9. You are editing WebHome!

When TemplateLogin realizes that there is no logged in user, it redirects to login screen and pass origurl param. The login screen adds all parameters as hidden fields to preserve them. The origurl is handled in a different way: it is deleted from the request, so %QUERYPARAMS{...}% (at login.tmpl) doesn't add it as a hidden field. Then login.tmpl adds origurl parameter and defines it to %ORIGURL%, that is a session preference, defined at the end of Foswiki::LoginManager::TemplateLogin::login. Here is the problem: ORIGURL is defined as a url-encoded version of the original origurl param. That's OK to the first time. But after a fail, the already-encoded value is encoded again. From this moment on it's garbage.

Since hidden field values doesn't need to be url-encoded, I think the best solution is to define ORIGURL preference without encodings.

-- GilmarSantosJr - 07 Feb 2009

Hidden field values doesn't need to be url-encoded, but does need to be encoded (entity or safe). This way there is no XSS vector and the original problem doesn't reappear.

-- GilmarSantosJr - 09 Feb 2009

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons LicenseGet Foswiki at sourceforge.net. Fast, secure and Free Open Source software downloads