[SECURITY] LoginForm redirects to `?BackURL` on empty submission

silverstripe / silverstripe-framework

Silverstripe Framework, the MVC framework that powers Silverstripe CMS

https://www.silverstripe.org

BSD 3-Clause "New" or "Revised" License

721 stars 822 forks source link

[SECURITY] LoginForm redirects to `?BackURL` on empty submission #4231

Open dhensby opened 9 years ago

dhensby commented 9 years ago

Example: http://www.silverstripe.org/Security/login?BackURL=/home

If you navigate to a login form with a BackURL specified in the URL and then submit the form without entering any data, the form redirects you to the BackURL location.

This is due to Controller::redirectBack() looking at BackURL for the current request and Form::getValidationErrorResponse() not taking into account a failed validation should probably redirect to the page with the form, rather than the BackURL

NB: to replicate you need to turn off HTML5 browser validation on inputs

zacps commented 7 years ago

~~This is actually a setting in src/Forms/Form.php#183 called redirectToFormOnValidationError which is by default set to false. Do you think this should be changed? I agree that redirecting back to the form is the more logical behaviour. I couldn't find any occurrences of the property being used, at least in framework.~~

dhensby commented 7 years ago

redirectToFormOnValidationError controls if the ID of the form is added to the URL as an anchor, I believe, and not whether to ignore the BackURL or not. the fact the BackURL is used of form failure in either case is an error.

zacps commented 7 years ago

Ah I see, you're right.

robbieaverill commented 5 years ago

Reproduced on SS 4.3.x-dev