0004942: Possible redirect loop in autenthication - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0004942	mantisbt	other	public	2004-12-07 05:04	2004-12-11 03:01

Reporter	masc	Assigned To	masc
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Platform	X86	OS	Windows	OS Version	Win2K
Product Version	git trunk
Fixed in Version	0.19.2

Summary	0004942: Possible redirect loop in autenthication
Description	I have discovered a strange behaviour I'm going to summarise here after. In access_api, the access_denied() function calls a redirect to login_page.php in case of non autenticated user. It does the redirect if the referer is the login_page.php itself and then it starts the never ending loop. The problem is now hidden by a notice error that blocks the redirect. This morning I fixed the notice (use of $_SERVER['QUERY_STRING'] when it's not set) and then the login page started to go in loop.
Additional Information	So I propose the following fix for both the problems: --- C:\Inetpub\wwwroot\mantisbt\core\access_api.php Mon Oct 25 21:47:52 2004 +++ C:\Inetpub\wwwroot\issuetracker\core\access_api.php Tue Dec 07 11:51:50 2004 @@ -30,11 +30,14 @@ } `if ( !auth_is_user_authenticated() ) {` if( basename( $_SERVER['SCRIPT_NAME'] ) != 'login_page.php' ) { if ( !isset( $_SERVER['REQUEST_URI'] ) ) { if( !isset( $_SERVER['QUERY_STRING'] ) ) $_SERVER['QUERY_STRING'] = ''; $_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME'].'?'.$_SERVER['QUERY_STRING']; } $p_return_page = string_url( $_SERVER['REQUEST_URI'] ); print_header_redirect( 'login_page.php?return=' . $p_return_page ); $t_return_page = string_url( $_SERVER['REQUEST_URI'] ); print_header_redirect( 'login_page.php?return=' . $t_return_page ); } } else { echo '<center>'; echo ' '.error_string(ERROR_ACCESS_DENIED).' ';
Tags	No tags attached.