From 3d91341af5bb7844609744fb941046fa015bb942 Mon Sep 17 00:00:00 2001 From: Kohei Yoshino Date: Tue, 5 Mar 2019 16:35:40 -0500 Subject: [PATCH] Bug 1503483 - Convert redirects to absolute path --- Bugzilla.pm | 9 +++------ Bugzilla/App/Plugin/Glue.pm | 2 +- Bugzilla/CGI.pm | 14 ++++++++++++++ Bugzilla/MFA.pm | 3 +-- Bugzilla/Search/Quicksearch.pm | 9 ++------- attachment.cgi | 9 +++------ chart.cgi | 15 +++++---------- colchange.cgi | 10 +--------- extensions/BMO/Extension.pm | 5 ++--- extensions/BMO/lib/Reports/Groups.pm | 3 +-- extensions/BMO/lib/Reports/ReleaseTracking.pm | 6 +----- extensions/GuidedBugEntry/Extension.pm | 3 +-- extensions/Voting/Extension.pm | 3 +-- github.cgi | 9 ++++----- long_list.cgi | 2 +- new_bug.cgi | 3 +-- post_bug.cgi | 3 +-- relogin.cgi | 5 ++--- report.cgi | 9 ++------- showattachment.cgi | 7 +------ token.cgi | 12 ++++++++---- userprefs.cgi | 3 +-- votes.cgi | 3 +-- xml.cgi | 2 +- 24 files changed, 59 insertions(+), 90 deletions(-) diff --git a/Bugzilla.pm b/Bugzilla.pm index d7720b2225..022c2531a7 100644 --- a/Bugzilla.pm +++ b/Bugzilla.pm @@ -303,11 +303,9 @@ sub login { my $self_url = trim($cgi->self_url); my $sig_type = 'prev_url:' . $authenticated_user->id; my $self_url_sig = issue_hash_sig($sig_type, $self_url); - my $redir_url - = URI->new(Bugzilla->localconfig->{urlbase} . "reset_password.cgi"); + my $redir_url = URI->new('reset_password.cgi'); $redir_url->query_form(prev_url => $self_url, prev_url_sig => $self_url_sig); - print $cgi->redirect($redir_url); - exit; + $cgi->base_redirect($redir_url->as_string); } } elsif (!i_am_webservice() @@ -329,8 +327,7 @@ sub login { if ($grace_period == 0 || $expired) { if (!($on_mfa_page || $on_token_page || $do_logout)) { - print Bugzilla->cgi->redirect("userprefs.cgi?tab=mfa"); - exit; + $cgi->base_redirect('userprefs.cgi?tab=mfa'); } } else { diff --git a/Bugzilla/App/Plugin/Glue.pm b/Bugzilla/App/Plugin/Glue.pm index b8b0c20bd1..9dca9fd608 100644 --- a/Bugzilla/App/Plugin/Glue.pm +++ b/Bugzilla/App/Plugin/Glue.pm @@ -73,7 +73,7 @@ sub register { my ($c, $type) = @_; if ($type == LOGIN_REQUIRED) { - $c->redirect_to('/login'); + $c->redirect_to(Bugzilla->localconfig->{basepath} . 'login'); return undef; } else { diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 29b7174f44..1656a869b0 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -885,6 +885,15 @@ sub redirect_to_urlbase { exit; } +sub base_redirect { + my ($self, $path, $is_perm) = @_; + print $self->redirect( + -location => Bugzilla->localconfig->{basepath} . ($path || ''), + -status => $is_perm ? '301 Moved Permanently' : '302 Found' + ); + exit; +} + sub url_is_attachment_base { my ($self, $id) = @_; return 0 if !use_attachbase() or !i_am_cgi(); @@ -1042,6 +1051,11 @@ instead of calling this directly. Redirects from the current URL to one prefixed by the urlbase parameter. +=item C + +Redirects to the given path relative to the `basepath` parameter which is +typically the root (`/`). + =item C Sets an appropriate date-dependent value for the Content Disposition header diff --git a/Bugzilla/MFA.pm b/Bugzilla/MFA.pm index bd28f62218..4851394eb8 100644 --- a/Bugzilla/MFA.pm +++ b/Bugzilla/MFA.pm @@ -89,8 +89,7 @@ sub verify_token { my $event = get_token_extra_data($token); delete_token($token); if (!$event) { - print Bugzilla->cgi->redirect('index.cgi'); - exit; + Bugzilla->cgi->base_redirect(); } return $event; } diff --git a/Bugzilla/Search/Quicksearch.pm b/Bugzilla/Search/Quicksearch.pm index aa23fbc335..7d152aafba 100644 --- a/Bugzilla/Search/Quicksearch.pm +++ b/Bugzilla/Search/Quicksearch.pm @@ -282,11 +282,8 @@ sub quicksearch { my $modified_query_string = $cgi->canonicalise_query(@params_to_strip); if ($cgi->param('load')) { - my $urlbase = Bugzilla->localconfig->{urlbase}; - # Param 'load' asks us to display the query in the advanced search form. - print $cgi->redirect( - -uri => "${urlbase}query.cgi?format=advanced&" . $modified_query_string); + $cgi->base_redirect("query.cgi?format=advanced&$modified_query_string"); } # Otherwise, pass the modified query string to the caller. @@ -333,9 +330,7 @@ sub _bug_numbers_only { if ($searchstring !~ /,/ && !i_am_webservice()) { # Single bug number; shortcut to show_bug.cgi. - print $cgi->redirect( - -uri => Bugzilla->localconfig->{urlbase} . "show_bug.cgi?id=$searchstring"); - exit; + $cgi->base_redirect("show_bug.cgi?id=$searchstring"); } else { # List of bug numbers. diff --git a/attachment.cgi b/attachment.cgi index df1b009fbb..081f4468ba 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -266,8 +266,7 @@ sub get_attachment { unless ($userid && $valid_token) { # Not a valid token. - print $cgi->redirect('-location' => Bugzilla->localconfig->{urlbase} . $path); - exit; + $cgi->base_redirect($path); } # Change current user without creating cookies. @@ -389,12 +388,10 @@ sub view { {do_redirect => \$do_redirect}); if ($do_redirect) { - my $uri = URI->new(Bugzilla->localconfig->{urlbase} . 'attachment.cgi'); + my $uri = URI->new('attachment.cgi'); $uri->query_param(id => $attachment->id); $uri->query_param(content_type => $contenttype) if $contenttype_override; - - print $cgi->redirect('-location' => $uri); - exit 0; + $cgi->base_redirect($uri->as_string); } # Don't send a charset header with attachments--they might not be UTF-8. diff --git a/chart.cgi b/chart.cgi index 7652680e4d..3c5536852b 100755 --- a/chart.cgi +++ b/chart.cgi @@ -62,10 +62,8 @@ if (!Bugzilla->feature('new_charts')) { # Go back to query.cgi if we are adding a boolean chart parameter. if (grep(/^cmd-/, $cgi->param())) { my $params = $cgi->canonicalise_query("format", "ctype", "action"); - print $cgi->redirect("query.cgi?format=" - . $cgi->param('query_format') - . ($params ? "&$params" : "")); - exit; + $cgi->base_redirect("query.cgi?format=" + . $cgi->param('query_format') . ($params ? "&$params" : '')); } my $action = $cgi->param('action'); @@ -87,8 +85,7 @@ $action ||= "assemble"; # Go to buglist.cgi if we are doing a search. if ($action eq "search") { my $params = $cgi->canonicalise_query("format", "ctype", "action"); - print $cgi->redirect("buglist.cgi" . ($params ? "?$params" : "")); - exit; + $cgi->base_redirect('buglist.cgi' . ($params ? "?$params" : "")); } $user->in_group(Bugzilla->params->{"chartgroup"}) || ThrowUserError( @@ -224,11 +221,9 @@ elsif ($action eq "convert_search") { my $params = new Bugzilla::CGI($query->edit_link); # These two parameters conflict with the one below. - $url = $params->canonicalise_query('format', 'query_format'); - $url = '&' . html_quote($url); + $url = '&' . $params->canonicalise_query('format', 'query_format'); } - print $cgi->redirect(-location => Bugzilla->localconfig->{urlbase} - . "query.cgi?format=create-series$url"); + $cgi->base_redirect("query.cgi?format=create-series$url"); } else { ThrowUserError('unknown_action', {action => $action}); diff --git a/colchange.cgi b/colchange.cgi index 542d347190..dadb5565df 100755 --- a/colchange.cgi +++ b/colchange.cgi @@ -139,15 +139,7 @@ if (defined $cgi->param('rememberedquery')) { my $params = new Bugzilla::CGI($cgi->param('rememberedquery')); $params->param('columnlist', join(",", @collist)); - $vars->{'redirect_url'} = "buglist.cgi?" . $params->query_string(); - - # If we're running on Microsoft IIS, $cgi->redirect discards - # the Set-Cookie lines. In mod_perl, $cgi->redirect with cookies - # causes the page to be rendered as text/plain. - # Workaround is to use the old-fashioned redirection mechanism. - # See bug 214466 and bug 376044 for details. - print $cgi->redirect($vars->{'redirect_url'}); - exit; + $cgi->base_redirect('buglist.cgi?' . $params->query_string()); } if (defined $cgi->param('columnlist')) { diff --git a/extensions/BMO/Extension.pm b/extensions/BMO/Extension.pm index 6d368deeb5..62ea207502 100644 --- a/extensions/BMO/Extension.pm +++ b/extensions/BMO/Extension.pm @@ -230,7 +230,7 @@ sub page_before_template { Bugzilla::Extension::BMO::Reports::Internship::report($vars); } elsif ($page eq 'email_queue.html') { - print Bugzilla->cgi->redirect('view_job_queue.cgi'); + Bugzilla->cgi->base_redirect('view_job_queue.cgi'); } elsif ($page eq 'release_tracking_report.html') { require Bugzilla::Extension::BMO::Reports::ReleaseTracking; @@ -305,8 +305,7 @@ sub bounty_attachment { Bugzilla::BugMail::Send($bug->id, {changer => $user}); - print Bugzilla->cgi->redirect('show_bug.cgi?id=' . $bug->id); - exit; + Bugzilla->cgi->base_redirect('show_bug.cgi?id=' . $bug->id); } if ($attachment) { diff --git a/extensions/BMO/lib/Reports/Groups.pm b/extensions/BMO/lib/Reports/Groups.pm index 844ca282b0..52fdffa948 100644 --- a/extensions/BMO/lib/Reports/Groups.pm +++ b/extensions/BMO/lib/Reports/Groups.pm @@ -84,8 +84,7 @@ sub membership_report { my $who = $cgi->param('who'); if (!defined($who) || $who eq '') { if ($page eq 'group_membership.txt') { - print $cgi->redirect("page.cgi?id=group_membership.html&output=txt"); - exit; + $cgi->base_redirect('page.cgi?id=group_membership.html&output=txt'); } $vars->{'output'} = $cgi->param('output'); return; diff --git a/extensions/BMO/lib/Reports/ReleaseTracking.pm b/extensions/BMO/lib/Reports/ReleaseTracking.pm index 79f5b16237..b6ed41b05a 100644 --- a/extensions/BMO/lib/Reports/ReleaseTracking.pm +++ b/extensions/BMO/lib/Reports/ReleaseTracking.pm @@ -304,11 +304,7 @@ sub report { my $bugs = $dbh->selectcol_arrayref($query, undef, @params); push @$bugs, 0 unless @$bugs; - my $urlbase = Bugzilla->localconfig->{urlbase}; - my $cgi = Bugzilla->cgi; - print $cgi->redirect( - -url => "${urlbase}buglist.cgi?bug_id=" . join(',', @$bugs)); - exit; + Bugzilla->cgi->base_redirect('buglist.cgi?bug_id=' . join(',', @$bugs)); } # diff --git a/extensions/GuidedBugEntry/Extension.pm b/extensions/GuidedBugEntry/Extension.pm index 72bae0d84c..bed190c02b 100644 --- a/extensions/GuidedBugEntry/Extension.pm +++ b/extensions/GuidedBugEntry/Extension.pm @@ -42,12 +42,11 @@ sub enter_bug_start { # skip the first step if a product is provided if ($cgi->param('product')) { - print $cgi->redirect('enter_bug.cgi?format=guided' + $cgi->base_redirect('enter_bug.cgi?format=guided' . ($cgi->param('format_forced') ? '&format_forced=1' : '') . '#h=dupes' . '|' . url_quote($cgi->param('product')) . '|' . url_quote($cgi->param('component') || '')); - exit; } # Do not redirect to product forms if we came from there already diff --git a/extensions/Voting/Extension.pm b/extensions/Voting/Extension.pm index 523ee653d8..df1500364f 100644 --- a/extensions/Voting/Extension.pm +++ b/extensions/Voting/Extension.pm @@ -534,8 +534,7 @@ sub _update_votes { exit; } elsif ($cgi->param('delete_all_votes') == 0) { - print $cgi->redirect("page.cgi?id=voting/user.html"); - exit; + $cgi->base_redirect('page.cgi?id=voting/user.html'); } } else { diff --git a/github.cgi b/github.cgi index 25b2a3b5a0..2d53f9b9e8 100755 --- a/github.cgi +++ b/github.cgi @@ -73,13 +73,12 @@ elsif (lc($cgi->request_method) eq 'get') { my $state_cookie = $cgi->cookie('github_state'); # If the state or params are missing, or the github_state cookie is missing - # we just redirect to index.cgi. + # we just redirect to the homepage. unless ($state_param && $state_cookie && ($cgi->param('code') || $cgi->param('email'))) { - print $cgi->redirect($urlbase . "index.cgi"); - exit; + $cgi->base_redirect(); } my $invalid_request = $state_param ne $state_cookie; @@ -118,13 +117,13 @@ elsif (lc($cgi->request_method) eq 'get') { $target_uri->query_param_delete('logout'); if ($target_uri->path =~ /attachment\.cgi/) { - my $attachment_uri = URI->new($urlbase . "attachment.cgi"); + my $attachment_uri = URI->new('attachment.cgi'); $attachment_uri->query_param(id => scalar $target_uri->query_param('id')); if ($target_uri->query_param('action')) { $attachment_uri->query_param( action => scalar $target_uri->query_param('action')); } - print $cgi->redirect($attachment_uri); + $cgi->base_redirect($attachment_uri->as_string); } else { print $cgi->redirect($target_uri); diff --git a/long_list.cgi b/long_list.cgi index 6c72d4f1f4..41a893c90f 100755 --- a/long_list.cgi +++ b/long_list.cgi @@ -38,4 +38,4 @@ my @ids = split(/[\s,]+/, $buglist); my $ids = join('', map { $_ = "&id=" . $_ } @ids); -print $cgi->redirect("show_bug.cgi?format=multiple$ids"); +$cgi->base_redirect("show_bug.cgi?format=multiple$ids"); diff --git a/new_bug.cgi b/new_bug.cgi index b212293612..97f593fbb2 100755 --- a/new_bug.cgi +++ b/new_bug.cgi @@ -123,8 +123,7 @@ if (lc($cgi->request_method) eq 'post') { push(@all_mail_results, $ref_sent); } - print $cgi->redirect( - Bugzilla->localconfig->{urlbase} . 'show_bug.cgi?id=' . $new_bug->bug_id); + $cgi->base_redirect('show_bug.cgi?id=' . $new_bug->bug_id); } else { print $cgi->header(); diff --git a/post_bug.cgi b/post_bug.cgi index ceef33c246..cb4e5db990 100755 --- a/post_bug.cgi +++ b/post_bug.cgi @@ -44,8 +44,7 @@ my $vars = {}; # redirect to enter_bug if no field is passed. unless ($cgi->param()) { - print $cgi->redirect(Bugzilla->localconfig->{urlbase} . 'enter_bug.cgi'); - exit; + $cgi->base_redirect('enter_bug.cgi'); } # BMO: Don't allow updating of bugs if disabled diff --git a/relogin.cgi b/relogin.cgi index b7020b0989..aa00be7f18 100755 --- a/relogin.cgi +++ b/relogin.cgi @@ -31,9 +31,8 @@ my $target; if (!$action) { - # redirect to index.cgi if no action is defined. - print $cgi->redirect(Bugzilla->localconfig->{urlbase} . 'index.cgi'); - exit; + # redirect to the homepage if no action is defined. + $cgi->base_redirect(); } # prepare-sudo: Display the sudo information & login page diff --git a/report.cgi b/report.cgi index 63497b026a..46038c7b2e 100755 --- a/report.cgi +++ b/report.cgi @@ -30,13 +30,8 @@ $cgi->content_security_policy(report_only => 0); # Go straight back to query.cgi if we are adding a boolean chart. if (grep(/^cmd-/, $cgi->param())) { my $params = $cgi->canonicalise_query("format", "ctype"); - my $location - = "query.cgi?format=" - . $cgi->param('query_format') - . ($params ? "&$params" : ""); - - print $cgi->redirect($location); - exit; + $cgi->base_redirect('query.cgi?format=' + . $cgi->param('query_format') . ($params ? "&$params" : '')); } Bugzilla->login(); diff --git a/showattachment.cgi b/showattachment.cgi index b6bddbea68..867f90a9ae 100755 --- a/showattachment.cgi +++ b/showattachment.cgi @@ -36,9 +36,4 @@ my $id = $cgi->param('attach_id'); detaint_natural($id) if defined $id; $id ||= ""; -print $cgi->redirect( - -location => "attachment.cgi?id=$id", - -status => '301 Permanent Redirect' -); - -exit; +$cgi->base_redirect("attachment.cgi?id=$id", 1); diff --git a/token.cgi b/token.cgi index 821772b1b1..90acf2f55e 100755 --- a/token.cgi +++ b/token.cgi @@ -461,8 +461,13 @@ sub verify_mfa_login { my $token = shift; my ($user, $event) = mfa_event_from_token($token); $user->authorizer->mfa_verified($user, $event); - print Bugzilla->cgi->redirect($event->{url} // 'index.cgi'); - exit; + + if ($event->{url}) { + print Bugzilla->cgi->redirect($event->{url}); + exit; + } + + Bugzilla->cgi->base_redirect(); } sub mfa_event_from_token { @@ -475,8 +480,7 @@ sub mfa_event_from_token { # sanity check if (!$user->mfa) { delete_token($token); - print Bugzilla->cgi->redirect('index.cgi'); - exit; + Bugzilla->cgi->base_redirect(); } # verify diff --git a/userprefs.cgi b/userprefs.cgi index 2ac8dd4d52..a308726f69 100755 --- a/userprefs.cgi +++ b/userprefs.cgi @@ -214,8 +214,7 @@ sub DisableAccount { $user->update(); Bugzilla->logout(); - print Bugzilla->cgi->redirect(Bugzilla->localconfig->{urlbase}); - exit; + Bugzilla->cgi->base_redirect(); } sub DoSettings { diff --git a/votes.cgi b/votes.cgi index 6655146745..57912cd771 100755 --- a/votes.cgi +++ b/votes.cgi @@ -48,5 +48,4 @@ else { ThrowUserError('unknown_action', {action => $action}); } -print $cgi->redirect('page.cgi?' . $cgi->query_string); -exit; +$cgi->base_redirect('page.cgi?' . $cgi->query_string); diff --git a/xml.cgi b/xml.cgi index 0642575596..2f72c92ab6 100755 --- a/xml.cgi +++ b/xml.cgi @@ -40,4 +40,4 @@ if (defined $cgi->param('id')) { my $ids = join('', map { $_ = "&id=" . $_ } @ids); -print $cgi->redirect("show_bug.cgi?ctype=xml$ids"); +$cgi->base_redirect("show_bug.cgi?ctype=xml$ids");