AUR web interface

**This is the bug tracker for the AUR web interface.**

Use this tracker to report bugs or make feature requests regarding the behaviour or implementation of the AUR software.
Please read the Reporting Bug Guidelines before filing a new task.
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

- Please report bugs related to Arch Linux official packages here: http://bugs.archlinux.org/index.php?project=1
- Please report bugs for [community] packages here: http://bugs.archlinux.org/index.php?project=5
- For any packages in the AUR contact the maintainer or leave a comment on the package's detail page.

Source Code:
https://projects.archlinux.org/aurweb.git/
Tasklist

FS#67615 - [aurweb] Login page id_referer does not match http referer

Attached to Project: AUR web interface
Opened by Lee (faultylee) - Monday, 17 August 2020, 02:02 GMT
Last edited by Lukas Fleischer (lfleischer) - Wednesday, 19 August 2020, 10:42 GMT
Task Type Bug Report
Category Backend
Status Unconfirmed
Assigned To Jelle van der Waa (jelly)
Sven-Hendrik Haase (Svenstaro)
Giancarlo Razzolini (grazzolini)
Architecture All
Severity Low
Priority Normal
Reported Version 4.7.0
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 1
Private No

Details

* What happend?
I was at https://aur.archlinux.org/packages/systemd-cron-next/ and I went to login and after logging in I was redirected to https://aur.archlinux.org/packages/osu-lazer/
After trying this a few times, I noticed this is happening randomly.

I then poked at the login page, I noticed the hidden input for `id_referer` contains a wrong value, not the original referrer and I verified that the referrer in the request header was indeed correct

* What to expect?
After login, browser should redirect to the original page. The hidden input `id_referer` in login page should contain the correct referrer in the request header for login page.


* Remark
I took a look at aurweb source code and I'm not PHP expert but the code looks right. The only thing I can suspect is the global variable leaking somewhere.
This task depends upon

Comment by Lee (faultylee) - Monday, 17 August 2020, 02:08 GMT
When I tested with curl without any headers, `id_referer` is populated with `https://aur.archlinux.org/` but according to the code, the hidden input shouldn't even exist.

<?php if (in_request('referer') !== ""): ?>
<input id="id_referer" type="hidden" name="referer" value="<?= htmlspecialchars(in_request('referer'), ENT_QUOTES) ?>" />
<?php elseif (isset($_SERVER['HTTP_REFERER'])): ?>
<input id="id_referer" type="hidden" name="referer" value="<?= htmlspecialchars($_SERVER['HTTP_REFERER'], ENT_QUOTES) ?>" />
<?php endif; ?>

Comment by Lukas Fleischer (lfleischer) - Wednesday, 19 August 2020, 10:42 GMT
I suspect this to be an issue with caching (which has been enabled for aurweb by the DevOps team recently): the referrer in the login page gets cached, and the next time you visit that page, you'll see the previous referrer.
Comment by Lee (faultylee) - Wednesday, 19 August 2020, 14:02 GMT
The cache must be global, I get page in the referrer that I've never visited.
Comment by Lukas Fleischer (lfleischer) - Wednesday, 19 August 2020, 21:56 GMT
Most likely. I believe the cache has been set up to be a single shared global cache for all users that are not logged in.
Comment by Lukas Fleischer (lfleischer) - Wednesday, 19 August 2020, 22:55 GMT
Most likely. I believe the cache has been set up to be a single shared global cache for all users that are not logged in.

Loading...