From: Sven Schöling Date: Mon, 7 Sep 2009 08:56:56 +0000 (+0200) Subject: Nur realtive URIs für logon.pl?callback= erlauben. X-Git-Tag: release-2.6.1beta1~291 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=f20785168580f2d3587ebb2d06ade189246fd5f3;p=kivitendo-erp.git Nur realtive URIs für logon.pl?callback= erlauben. --- diff --git a/bin/mozilla/menu.pl b/bin/mozilla/menu.pl index 6046337be..fbf3b2c05 100644 --- a/bin/mozilla/menu.pl +++ b/bin/mozilla/menu.pl @@ -38,6 +38,7 @@ $menufile = "menu.ini"; use SL::Menu; use Data::Dumper; +use URI; 1; @@ -48,8 +49,9 @@ $framesize = ($ENV{HTTP_USER_AGENT} =~ /links/i) ? "240" : "190"; sub display { $lxdebug->enter_sub(); - $form->{callback} = $form->unescape($form->{callback}); - $form->{callback} ||= "login.pl?action=company_logo"; + my $callback = $form->unescape($form->{callback}); + $callback = URI->new($callback)->rel($callback) if $callback; + $callback = "login.pl?action=company_logo" if $callback =~ /^(.\/)?$/; $form->header; @@ -58,7 +60,7 @@ sub display { - + You need a browser that can read frames to see this page. diff --git a/bin/mozilla/menuXML.pl b/bin/mozilla/menuXML.pl index 0f8bb5ca2..83310da11 100644 --- a/bin/mozilla/menuXML.pl +++ b/bin/mozilla/menuXML.pl @@ -41,6 +41,7 @@ use SL::Menu; use CGI::Carp qw(fatalsToBrowser); use Encode; +use URI; 1; # end of main @@ -48,7 +49,9 @@ use Encode; sub display { $locale = Locale->new($language, "menu"); my $charset = $dbcharset || 'ISO-8859-1'; - my $callback = $form->unescape($form->{callback}) || "login.pl?action=company_logo"; + my $callback = $form->unescape($form->{callback}); + $callback = URI->new($callback)->rel($callback) if $callback; + $callback = "login.pl?action=company_logo" if $callback =~ /^(.\/)?$/; my $text = $form->create_http_response('content_type' => 'text/xml', 'charset' => $charset) diff --git a/bin/mozilla/menunew.pl b/bin/mozilla/menunew.pl index ffb9afd8a..b48abc814 100644 --- a/bin/mozilla/menunew.pl +++ b/bin/mozilla/menunew.pl @@ -34,6 +34,7 @@ use English qw(-no_match_vars); use List::Util qw(max); +use URI; use SL::Menu; @@ -49,7 +50,10 @@ sub display { $form->{force_ul_width} = 1; $form->{date} = clock_line(); $form->{menu_items} = acc_menu(); - $form->{callback} = $form->unescape($form->{callback}) || "login.pl?action=company_logo"; + my $callback = $form->unescape($form->{callback}); + $callback = URI->new($callback)->rel($callback) if $callback; + $callback = "login.pl?action=company_logo" if $callback =~ /^(.\/)?$/; + $form->{callback} = $callback; print $form->parse_html_template("menu/menunew"); } diff --git a/bin/mozilla/menuv3.pl b/bin/mozilla/menuv3.pl index 43b9fc531..31aadf9e7 100644 --- a/bin/mozilla/menuv3.pl +++ b/bin/mozilla/menuv3.pl @@ -34,6 +34,7 @@ $menufile = "menu.ini"; use SL::Menu; +use URI; 1; @@ -44,7 +45,10 @@ sub display { $form->{date} = clock_line(); $form->{menu} = acc_menu(); - $form->{callback} = $form->unescape($form->{callback}) || "login.pl?action=company_logo"; + my $callback = $form->unescape($form->{callback}); + $callback = URI->new($callback)->rel($callback) if $callback; + $callback = "login.pl?action=company_logo" if $callback =~ /^(.\/)?$/; + $form->{callback} = $callback; print $form->parse_html_template("menu/menuv3"); diff --git a/bin/mozilla/menuv4.pl b/bin/mozilla/menuv4.pl index 0980ff6c7..0ff4f4b00 100644 --- a/bin/mozilla/menuv4.pl +++ b/bin/mozilla/menuv4.pl @@ -34,6 +34,7 @@ $menufile = "menu.ini"; use SL::Menu; +use URI; 1; @@ -44,7 +45,13 @@ sub display { $form->{date} = clock_line(); $form->{menu} = acc_menu(); - $form->{callback} = $form->unescape($form->{callback}) || "login.pl?action=company_logo"; + my $callback = $form->unescape($form->{callback}); + $main::lxdebug->message(0, ">>>>> $callback"); + $callback = URI->new($callback)->rel($callback) if $callback; + $main::lxdebug->message(0, ">>>>> $callback"); + $callback = "login.pl?action=company_logo" if $callback =~ /^(.\/)?$/; + $main::lxdebug->message(0, ">>>>> $callback"); + $form->{callback} = $callback; print $form->parse_html_template("menu/menuv4"); diff --git a/templates/webpages/menu/menuv4_de.html b/templates/webpages/menu/menuv4_de.html index 5c232187a..7176a7d01 100644 --- a/templates/webpages/menu/menuv4_de.html +++ b/templates/webpages/menu/menuv4_de.html @@ -38,7 +38,7 @@ window.onload=clockon <div style="clear: both;"></div> - <iframe id="win1" src="login.pl?action=company_logo" width="100%" height="94%" name="main_window" style="position: absolute; border: 0px; z-index: 99; "> + <iframe id="win1" src="[% callback %]" width="100%" height="94%" name="main_window" style="position: absolute; border: 0px; z-index: 99; "> <p>Ihr Browser kann leider keine eingebetteten Frames anzeigen. Bitte w&auml;hlen Sie ein anderes Men&uuml; in der Benutzerkonfiguration im Administrationsmen&uuml; aus.</p> </iframe> </body>