Commit 76c3c5ba authored by Cecilia Vela Gurovic's avatar Cecilia Vela Gurovic Committed by Gerrit Code Review
Browse files

Merge "Security bug 1770561: Avoid back button vulnerability"

parents 42801e38 520d915d
......@@ -1072,7 +1072,7 @@ function auth_check_required_fields() {
'action' => '',
'elements' => $elements,
'dieaftersubmit' => FALSE,
'backoutaftersubmit' => TRUE,
'backoutaftersubmit' => FALSE,
));
}
......@@ -1253,9 +1253,6 @@ function requiredfields_submit(Pieform $form, $values) {
}
$SESSION->set('nocheckrequiredfields', true);
if ($form->get_property('backoutaftersubmit')) {
return;
}
redirect();
}
......@@ -1818,15 +1815,10 @@ function login_submit(Pieform $form, $values) {
}
}
auth_check_admin_section();
// This is also checked in $USER->login(), but it's good to check it again here in case a buggy auth plugin
// lets a suspended user through somehow.
ensure_user_account_is_active();
// Do redirect on login to avoid browser back button exploit
$requesturi = $_SERVER['SCRIPT_NAME'] . '?' . $_SERVER['QUERY_STRING'];
redirect($requesturi);
// User is allowed to log in
//$USER->login($userdata);
auth_check_required_fields();
}
/**
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment