FS#67615 : [aurweb] Login page id_referer does not match http referer

**This is the bug tracker for the AUR web interface.**

Use this tracker to report bugs or make feature requests regarding the behaviour or implementation of the AUR software.
Please read the Reporting Bug Guidelines before filing a new task.
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

- Please report bugs related to Arch Linux official packages here: http://bugs.archlinux.org/index.php?project=1
- Please report bugs for [community] packages here: http://bugs.archlinux.org/index.php?project=5
- For any packages in the AUR contact the maintainer or leave a comment on the package's detail page.

Source Code:
https://projects.archlinux.org/aurweb.git/

FS#67615 - [aurweb] Login page id_referer does not match http referer

Attached to Project: AUR web interface
Opened by Lee (faultylee) - Monday, 17 August 2020, 02:02 GMT
Last edited by Lukas Fleischer (lfleischer) - Wednesday, 19 August 2020, 10:42 GMT

Task Type	Bug Report
Category	Backend
Status	Unconfirmed
Assigned To	Jelle van der Waa (jelly) Sven-Hendrik Haase (Svenstaro) Giancarlo Razzolini (grazzolini)
Architecture	All
Severity	Low
Priority	Normal
Reported Version	4.7.0
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Lee (faultylee) (2020-08-17)
Private	No

Details

* What happend?
I was at https://aur.archlinux.org/packages/systemd-cron-next/ and I went to login and after logging in I was redirected to https://aur.archlinux.org/packages/osu-lazer/
After trying this a few times, I noticed this is happening randomly.

I then poked at the login page, I noticed the hidden input for `id_referer` contains a wrong value, not the original referrer and I verified that the referrer in the request header was indeed correct

* What to expect?
After login, browser should redirect to the original page. The hidden input `id_referer` in login page should contain the correct referrer in the request header for login page.

* Remark
I took a look at aurweb source code and I'm not PHP expert but the code looks right. The only thing I can suspect is the global variable leaking somewhere.

This task depends upon

Comments (5)
Related Tasks (0/0)

Comment by Lee (faultylee) - Monday, 17 August 2020, 02:08 GMT

When I tested with curl without any headers, `id_referer` is populated with `https://aur.archlinux.org/` but according to the code, the hidden input shouldn't even exist.

<?php if (in_request('referer') !== ""): ?>
<input id="id_referer" type="hidden" name="referer" value="<?= htmlspecialchars(in_request('referer'), ENT_QUOTES) ?>" />
<?php elseif (isset($_SERVER['HTTP_REFERER'])): ?>
<input id="id_referer" type="hidden" name="referer" value="<?= htmlspecialchars($_SERVER['HTTP_REFERER'], ENT_QUOTES) ?>" />
<?php endif; ?>

Comment by Lukas Fleischer (lfleischer) - Wednesday, 19 August 2020, 10:42 GMT

Task assigned to Giancarlo Razzolini (grazzolini), Jelle van der Waa (jelly), Sven-Hendrik Haase (Svenstaro)

I suspect this to be an issue with caching (which has been enabled for aurweb by the DevOps team recently): the referrer in the login page gets cached, and the next time you visit that page, you'll see the previous referrer.

Comment by Lee (faultylee) - Wednesday, 19 August 2020, 14:02 GMT

The cache must be global, I get page in the referrer that I've never visited.

Comment by Lukas Fleischer (lfleischer) - Wednesday, 19 August 2020, 21:56 GMT

Most likely. I believe the cache has been set up to be a single shared global cache for all users that are not logged in.

Comment by Lukas Fleischer (lfleischer) - Wednesday, 19 August 2020, 22:55 GMT

Most likely. I believe the cache has been set up to be a single shared global cache for all users that are not logged in.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

AUR web interface

FS#67615 - [aurweb] Login page id_referer does not match http referer

Details

Loading...