Hi everyone!
While testing the new version 5.10.1 it was brought to our attention that the login was returning some interesting information in the query parameters. It was a bit interesting because our first thought was that the form submission was the main culprit, but it was simpler than that: the login link in the header bar.
You can reproduce this by going to the register page:
https://openacs.org/register/
Then press the link in the top right corner and the result will be something like this:
https://openacs.org/register/?return_url=/
if the credentials are correct then it is not a problem, but if not, then after submitting you try to go into the link again, and you will get a different return URL:
https://openacs.org/register/?return_url=/register/?persistent_p%3dt%26__refreshing_p%3d0%26ok%3dok%26form:mailto:id%3dlogin%26__confirmed_p%3d0%26time%3d1737484712%26host_node_id%3d%26email%3dasdfasdf@test.com%26return_url%3d/pvt/home%26form:mode%3dedit%26hash%3dAB21E250979036C87F6F393B3127433470056C9C%26token_id%3d529
After searching it was found that the procedure used to create the return_url, ad_return_url
, has code that always adds the form to the query string.
if {[ns_conn isconnected]} {
set query_list [export_vars -entire_form]
set base_url [ns_conn url]
}
My question is: Is it possible to add another flag to the API for the ad_return_url
procedure to either include or exclude the -entire_form
flag? That way we can still use the return url without having to walk around it.
Thanks
JC