This repository was archived by the owner on Dec 13, 2018. It is now read-only.
This repository was archived by the owner on Dec 13, 2018. It is now read-only.
Login form does not safe encode next query parameter #595
Description
In the Login form when the user needs to be authenticated, the next query parameter does is not URI encoded with encodeURIComponent.
Example
request /resource?pretty&test=1
Authentication Failed
redirect login?next=/resource?pretty&test=1
However the redirect should be
redirect login?next=%2Fresource%3Fpretty%26test%3D1
Proposed change: Add encodeURIComponent when setting next, and decodeURIComponent when redirecting after successful login
var nextUri = url.parse(req.query.next || '').path;
var formActionUri = (config.web.login.uri + (nextUri ? ('?next=' + encodeURIComponent(nextUri)) : ''));
if (req.user && config.web.login.enabled) {
var nextUrl = decodeURIComponent(nextUri || config.web.login.nextUri);
return res.redirect(302, nextUrl);
}
Currently, the original query parameters after the first one does not get included when redirected