POST to login plugin in login form (matomo-org#14081)

* Instead of using referrer URL, use redirect post param so we can post to Login module. * Use actual login plugin name. * Remove sanitization for form_redirect POST value. * Couple more checks for a safer redirect. * Do not include port in host check. * Make sure hosts are not empty for more security.
fdellwing · Feb 11, 2019 · 92fa86c · 92fa86c
1 parent 8e9942f
commit 92fa86c
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 7 deletions.
diff --git a/plugins/Login/Controller.php b/plugins/Login/Controller.php
@@ -21,6 +21,7 @@
 use Piwik\QuickForm2;
 use Piwik\Session;
 use Piwik\Url;
+use Piwik\UrlHelper;
 use Piwik\View;
 
 /**
@@ -126,7 +127,6 @@ function index()
     function login($messageNoAccess = null, $infoMessage = false)
     {
         $form = new FormLogin();
-        $form->removeAttribute('action'); // remove action attribute, otherwise hash part will be lost
         if ($form->validate()) {
             $nonce = $form->getSubmitValue('form_nonce');
             if (Nonce::verifyNonce('Login.login', $nonce)) {
@@ -303,14 +303,19 @@ protected function authenticateAndRedirect($login, $password, $urlToRedirect = f
         $this->passwordResetter->removePasswordResetInfo($login);
 
         if (empty($urlToRedirect)) {
-            $referrer = Url::getReferrer();
-            $module = Common::getRequestVar('module', '', 'string');
+            $redirect = Common::unsanitizeInputValue(Common::getRequestVar('form_redirect', false));
+            $redirectParams = UrlHelper::getArrayFromQueryString(UrlHelper::getQueryFromUrl($redirect));
+            $module = Common::getRequestVar('module', '', 'string', $redirectParams);
             // when module is login, we redirect to home...
-            if ($module !== 'Login' && $module !== Piwik::getLoginPluginName() && $referrer) {
-                $host = Url::getHostFromUrl($referrer);
+            if (!empty($module) && $module !== 'Login' && $module !== Piwik::getLoginPluginName() && $redirect) {
+                $host = Url::getHostFromUrl($redirect);
+                $currentHost = Url::getHost();
+                $currentHost = explode(':', $currentHost, 2)[0];
+
                 // we only redirect to a trusted host
-                if ($host && Url::isValidHost($host)) {
-                    $urlToRedirect = $referrer;
+                if (!empty($host) && !empty($currentHost) && $host == $currentHost && Url::isValidHost($host)
+                ) {
+                    $urlToRedirect = $redirect;
                 }
             }
         }

diff --git a/plugins/Login/FormLogin.php b/plugins/Login/FormLogin.php
@@ -19,6 +19,7 @@ class FormLogin extends QuickForm2
 {
     function __construct($id = 'login_form', $method = 'post', $attributes = null, $trackSubmit = false)
     {
+        $attributes = array_merge($attributes ?: [], [ 'action' => '?module=' . Piwik::getLoginPluginName() ]);
         parent::__construct($id, $method, $attributes, $trackSubmit);
     }
 
@@ -30,6 +31,8 @@ function init()
         $this->addElement('password', 'form_password')
             ->addRule('required', Piwik::translate('General_Required', Piwik::translate('General_Password')));
 
+        $this->addElement('hidden', 'form_redirect');
+
         $this->addElement('hidden', 'form_nonce');
 
         $this->addElement('checkbox', 'form_rememberme');

diff --git a/plugins/Login/javascripts/login.js b/plugins/Login/javascripts/login.js
@@ -39,6 +39,9 @@
             });
         };
 
+        // set login form redirect url
+        $('#login_form_redirect').val(window.location.href);
+
         // 'lost your password?' on click
         $('#login_form_nav').click(function (e) {
             e.preventDefault();

diff --git a/plugins/Login/templates/login.twig b/plugins/Login/templates/login.twig
@@ -35,6 +35,7 @@
                     <div class="row">
                         <div class="col s12 input-field">
                             <input type="hidden" name="form_nonce" id="login_form_nonce" value="{{ nonce }}"/>
+                            <input type="hidden" name="form_redirect" id="login_form_redirect" value=""/>
                             <input type="password" placeholder="" name="form_password" id="login_form_password" class="input" value="" size="20"
                                    autocorrect="off" autocapitalize="none"
                                    tabindex="20" />