[obs-commits] [openSUSE/open-build-service] d27f67: [webui] Update OBS redirect after login

Branch: refs/heads/master Home: https://github.com/openSUSE/open-build-service Commit: d27f674b3e5da6898928a203c9a691527044b40b https://github.com/openSUSE/open-build-service/commit/d27f674b3e5da6898928a2... Author: Björn Geuken Date: 2015-09-01 (Tue, 01 Sep 2015) Changed paths: M src/api/app/controllers/webui/user_controller.rb M src/api/app/controllers/webui/webui_controller.rb M src/api/app/views/layouts/webui/_personal_navigation.html.erb M src/api/app/views/webui/user/login.html.erb M src/api/test/functional/webui/patchinfo_create_test.rb M src/api/test/functional/webui/signup_test.rb M src/api/test/functional/webui/user_controller_test.rb M src/api/test/test_helper.rb Log Message: ----------- [webui] Update OBS redirect after login After login OBS users get redirected to the page they initially visited. So far this was done via hidden fields in the views and parameters that were processed in the controller. An attacker could use those parameters to redirect to an untrusted side. This commit stores the last visited page in the session store to avoid that kind of attack. Commit: d2aacc4470116d55974f4be28a1a41c8a874a4d9 https://github.com/openSUSE/open-build-service/commit/d2aacc4470116d55974f4b... Author: Henne Vogelsang Date: 2015-09-02 (Wed, 02 Sep 2015) Changed paths: M src/api/app/controllers/webui/user_controller.rb M src/api/app/controllers/webui/webui_controller.rb M src/api/app/views/layouts/webui/_personal_navigation.html.erb M src/api/app/views/webui/user/login.html.erb M src/api/test/functional/webui/patchinfo_create_test.rb M src/api/test/functional/webui/signup_test.rb M src/api/test/functional/webui/user_controller_test.rb M src/api/test/test_helper.rb Log Message: ----------- Merge pull request #1078 from bgeuken/hakiri_redirect_issue [webui] Update OBS redirect after login Compare: https://github.com/openSUSE/open-build-service/compare/e2ed2c45c575...d2aacc...