--- loncom/auth/lonlogin.pm 2021/09/28 20:47:46 1.186 +++ loncom/auth/lonlogin.pm 2021/10/10 23:22:30 1.191 @@ -1,7 +1,7 @@ # The LearningOnline Network # Login Screen # -# $Id: lonlogin.pm,v 1.186 2021/09/28 20:47:46 raeburn Exp $ +# $Id: lonlogin.pm,v 1.191 2021/10/10 23:22:30 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -38,6 +38,8 @@ use Apache::lonlocal; use Apache::migrateuser(); use lib '/home/httpd/lib/perl/'; use LONCAPA qw(:DEFAULT :match); +use URI::Escape; +use HTML::Entities(); use CGI::Cookie(); sub handler { @@ -60,6 +62,9 @@ sub handler { (!$env{'form.ltoken'}) && (!$env{'form.linkkey'})) { &Apache::lonacc::get_posted_cgi($r,['linkkey']); } + if ($env{'form.firsturl'} eq '/adm/logout') { + delete($env{'form.firsturl'}); + } # -- check if they are a migrating user if (defined($env{'form.token'})) { @@ -111,7 +116,6 @@ sub handler { } my $lonhost = $r->dir_config('lonHostID'); - $env{'form.firsturl'} =~ s/(`)/'/g; # Check if browser sent a LON-CAPA load balancer cookie (and this is a balancer) @@ -123,7 +127,12 @@ sub handler { $protocol = 'http' if ($protocol ne 'https'); my $dest = '/adm/roles'; if ($env{'form.firsturl'} ne '') { - $dest = $env{'form.firsturl'}; + if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) { + $dest = &uri_escape_utf8($env{'form.firsturl'}); + } else { + $dest = &uri_escape($env{'form.firsturl'}); + } + $dest = &HTML::Entities::encode($dest,"'"); } my %info = ( balcookie => $lonhost.':'.$balancer_cookie, @@ -141,7 +150,7 @@ sub handler { } my $balancer_token = &Apache::lonnet::tmpput(\%info,$found_server); if ($balancer_token) { - $dest .= (($dest=~/\?/)?'&;':'?') . 'btoken='.$balancer_token; + $dest .= (($dest=~/\?/)?'&':'?') . 'btoken='.$balancer_token; } unless ($found_server eq $lonhost) { my $alias = &Apache::lonnet::use_proxy_alias($r,$found_server); @@ -203,7 +212,12 @@ sub handler { &Apache::loncommon::end_page(); my $dest = '/adm/roles'; if ($env{'form.firsturl'} ne '') { - $dest = $env{'form.firsturl'}; + if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) { + $dest = &uri_escape_utf8($env{'form.firsturl'}); + } else { + $dest = &uri_escape($env{'form.firsturl'}); + } + $dest = &HTML::Entities::encode($dest,"'"); } if (($env{'form.ltoken'}) || ($linkprot)) { unless ($linkprot) { @@ -403,8 +417,6 @@ sub handler { } if ($env{'form.ltoken'}) { my %info = &Apache::lonnet::tmpget($env{'form.ltoken'}); - &Apache::lonnet::tmpdel($env{'form.ltoken'}); - delete($env{'form.ltoken'}); if ($info{'linkprot'}) { if (!$tokenextras) { $tokenextras = '&&&'; @@ -428,6 +440,10 @@ sub handler { if ($logtoken eq 'no_such_host') { &Apache::lonnet::logthis('No valid logtoken for log-in page -- unable to determine hostname for hostID: '.$lonhost.'. Check entry in hosts.tab'); } + if ($env{'form.ltoken'}) { + &Apache::lonnet::tmpdel($env{'form.ltoken'}); + delete($env{'form.ltoken'}); + } my $spares=''; my (@sparehosts,%spareservers); my $sparesref = &Apache::lonnet::this_host_spares($defdom); @@ -795,15 +811,29 @@ HEADER if ($samlssourl ne '') { $ssologin = $samlssourl; } + if ($env{'form.firsturl'} ne '') { + my $querystring = 'origurl='; + if ($env{'form.firsturl'} =~ /[^\x00-\xFF]/) { + $querystring .= &uri_escape_utf8($env{'form.firsturl'}); + } else { + $querystring .= &uri_escape($env{'form.firsturl'}); + } + $querystring = &HTML::Entities::encode($querystring,"'"); + $ssologin .= (($ssologin=~/\?/)?'&':'?') . $querystring; + } + if ($env{'form.ltoken'} ne '') { + $querystring .= (($querystring eq '')?'':'&') . 'ltoken='. + &HTML::Entities::encode(&uri_escape($env{'form.ltoken'})); + } elsif ($env{'form.linkkey'}) { + $querystring .= (($querystring eq '')?'':'&') . 'linkkey='. + &HTML::Entities::encode(&uri_escape($env{'form.linkkey'})); + } my $ssohref; if ($samlssoimg ne '') { $ssohref = ''.$samlssoalt.''; } else { $ssohref = ''.$samlssotext.''; } - if ($env{'form.firsturl'}) { - $ssologin .= '?origurl='.&HTML::Entities::encode($env{'form.firsturl'},'<>&"'); - } if (($env{'form.saml'} eq 'no') || (($env{'form.username'} ne '') && ($env{'form.domain'} ne ''))) { $ssoauthstyle = 'none'; @@ -828,6 +858,11 @@ $coursecatalog ENDSAML + } else { + if ($env{'form.ltoken'}) { + &Apache::lonnet::tmpdel($env{'form.ltoken'}); + delete($env{'form.ltoken'}); + } } $r->print(< $linkprot},$desthost); if ($ltoken) { - $url .= (($url =~ /\?/) ? '&' : '?').'ltoken='.$ltoken; + $url .= (($url =~ /\?/) ? '&' : '?').'ltoken='.$ltoken; } } my $start_page = &Apache::loncommon::start_page('Switching Server ...',undef,