Commits

cboos  committed a7d6a44

0.12.3dev: ignore scheme in the `_redirect_back` when checking for same host, but keep using the current scheme when redirecting, so that one can be switched to https after login without losing the referrer.

Issue reported and fix tested by Dirk Stöcker, thanks!

Closes #10028.

  • Participants
  • Parent commits 6e2dda3
  • Branches 0.12-stable

Comments (0)

Files changed (1)

File trac/web/auth.py

     def _redirect_back(self, req):
         """Redirect the user back to the URL she came from."""
         referer = self._referer(req)
-        if referer and not (referer == req.base_url or \
-                referer.startswith(req.base_url.rstrip('/') + '/')):
+        if referer:
+            pos = req.base_url.find(':')
+            base_scheme = req.base_url[:pos]
+            base_noscheme = req.base_url[pos:]  
+            base_noscheme_norm = base_noscheme.rstrip('/')
+            referer_noscheme = referer[referer.find(':'):]
             # only redirect to referer if it is from the same site
-            referer = None
-        if referer and referer.rstrip('/') == req.base_url.rstrip('/') \
-                                              + req.path_info.rstrip('/'):
-            # Avoid redirect loops
-            referer = None
-        req.redirect(referer or req.abs_href())
+            if referer_noscheme == base_noscheme or \
+                    referer_noscheme.startswith(base_noscheme_norm + '/'):
+                # avoid redirect loops
+                if referer_noscheme.rstrip('/') != \
+                        base_noscheme_norm + req.path_info.rstrip('/'):
+                    req.redirect(base_scheme + referer_noscheme)
+        req.redirect(req.abs_href())
 
     def _referer(self, req):
         return req.args.get('referer') or req.get_header('Referer')