View Issue Details

IDProjectCategoryView StatusLast Update
0004942mantisbtotherpublic2004-12-11 03:01
Reportermasc Assigned Tomasc  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformX86OSWindowsOS VersionWin2K
Product Versiongit trunk 
Fixed in Version0.19.2 
Summary0004942: Possible redirect loop in autenthication
Description

I have discovered a strange behaviour I'm going to summarise here after.
In access_api, the access_denied() function calls a redirect to login_page.php in case of non autenticated user. It does the redirect if the referer is the login_page.php itself and then it starts the never ending loop.
The problem is now hidden by a notice error that blocks the redirect. This morning I fixed the notice (use of $_SERVER['QUERY_STRING'] when it's not set) and then the login page started to go in loop.

Additional Information

So I propose the following fix for both the problems:

--- C:\Inetpub\wwwroot\mantisbt\core\access_api.php Mon Oct 25 21:47:52 2004
+++ C:\Inetpub\wwwroot\issuetracker\core\access_api.php Tue Dec 07 11:51:50 2004
@@ -30,11 +30,14 @@
}

    if ( !auth_is_user_authenticated() ) {
  • if( basename( $_SERVER['SCRIPT_NAME'] ) != 'login_page.php' ) {
    if ( !isset( $_SERVER['REQUEST_URI'] ) ) {
  • if( !isset( $_SERVER['QUERY_STRING'] ) ) $_SERVER['QUERY_STRING'] = '';
    $_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME'].'?'.$_SERVER['QUERY_STRING'];
    }
  • $p_return_page = string_url( $_SERVER['REQUEST_URI'] );
  • print_header_redirect( 'login_page.php?return=' . $p_return_page );
  • $t_return_page = string_url( $_SERVER['REQUEST_URI'] );
  • print_header_redirect( 'login_page.php?return=' . $t_return_page );
  • }
    } else {
    echo '<center>';
    echo '<p>'.error_string(ERROR_ACCESS_DENIED).'</p>';
TagsNo tags attached.

Relationships

has duplicate 0004989 closedmasc Unlimited recursion in anonymous check cancels new sing-in 
child of 0004818 closedvboctor Mantis 0.19.2 release 

Activities

jlatour

jlatour

2004-12-07 11:17

reporter   ~0008529

Alright, seems OK.

masc

masc

2004-12-08 07:40

reporter   ~0008540

Fixed

Issue History

Date Modified Username Field Change
2004-12-07 05:04 masc New Issue
2004-12-07 11:15 jlatour Relationship added child of 0004818
2004-12-07 11:17 jlatour Note Added: 0008529
2004-12-07 11:17 jlatour Assigned To => masc
2004-12-07 11:17 jlatour Status new => acknowledged
2004-12-08 07:40 masc Status acknowledged => resolved
2004-12-08 07:40 masc Fixed in Version => 0.19.2
2004-12-08 07:40 masc Resolution open => fixed
2004-12-08 07:40 masc Note Added: 0008540
2004-12-11 03:01 vboctor Status resolved => closed
2004-12-17 01:23 masc Relationship added has duplicate 0004989