FS#67615 - [aurweb] Login page id_referer does not match http referer

Attached to Project: AUR web interface
Opened by Lee (faultylee) - Monday, 17 August 2020, 02:02 GMT
Last edited by Kevin Morris (kevr) - Saturday, 12 February 2022, 23:28 GMT
Task Type Bug Report
Category Backend
Status Closed
Assigned To Jelle van der Waa (jelly)
Sven-Hendrik Haase (Svenstaro)
Giancarlo Razzolini (grazzolini)
Architecture All
Severity Low
Priority Normal
Reported Version 4.7.0
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 1
Private No

Details

* What happend?
I was at https://aur.archlinux.org/packages/systemd-cron-next/ and I went to login and after logging in I was redirected to https://aur.archlinux.org/packages/osu-lazer/
After trying this a few times, I noticed this is happening randomly.

I then poked at the login page, I noticed the hidden input for `id_referer` contains a wrong value, not the original referrer and I verified that the referrer in the request header was indeed correct

* What to expect?
After login, browser should redirect to the original page. The hidden input `id_referer` in login page should contain the correct referrer in the request header for login page.


* Remark
I took a look at aurweb source code and I'm not PHP expert but the code looks right. The only thing I can suspect is the global variable leaking somewhere.
This task depends upon

Closed by  Kevin Morris (kevr)
Saturday, 12 February 2022, 23:28 GMT
Reason for closing:  Deferred
Additional comments about closing:  The HTTP referrer handling has changed since v6.0.0. Please open a new task regarding this issue if it remains.
Comment by Lee (faultylee) - Monday, 17 August 2020, 02:08 GMT
When I tested with curl without any headers, `id_referer` is populated with `https://aur.archlinux.org/` but according to the code, the hidden input shouldn't even exist.

<?php if (in_request('referer') !== ""): ?>
<input id="id_referer" type="hidden" name="referer" value="<?= htmlspecialchars(in_request('referer'), ENT_QUOTES) ?>" />
<?php elseif (isset($_SERVER['HTTP_REFERER'])): ?>
<input id="id_referer" type="hidden" name="referer" value="<?= htmlspecialchars($_SERVER['HTTP_REFERER'], ENT_QUOTES) ?>" />
<?php endif; ?>

Comment by Lukas Fleischer (lfleischer) - Wednesday, 19 August 2020, 10:42 GMT
I suspect this to be an issue with caching (which has been enabled for aurweb by the DevOps team recently): the referrer in the login page gets cached, and the next time you visit that page, you'll see the previous referrer.
Comment by Lee (faultylee) - Wednesday, 19 August 2020, 14:02 GMT
The cache must be global, I get page in the referrer that I've never visited.
Comment by Lukas Fleischer (lfleischer) - Wednesday, 19 August 2020, 21:56 GMT
Most likely. I believe the cache has been set up to be a single shared global cache for all users that are not logged in.
Comment by Lukas Fleischer (lfleischer) - Wednesday, 19 August 2020, 22:55 GMT
Most likely. I believe the cache has been set up to be a single shared global cache for all users that are not logged in.

Loading...